Skip to main content

Access Control

Access Control

Identity and role prerequisites. This route is discoverable before identity endpoints are available but does not simulate RBAC writes.

Access model blocked

Pending

Identity and role APIs are still planned for this environment. Mutation controls remain disabled until the prerequisites below are live.

Identity status: unavailable — waiting for GET /api/v1/identity

Role catalog status: unavailable — waiting for GET /api/v1/roles

Safe path: Users and roles for current live operator mapping. Endpoint diagnostics for blocker status.

Identity missing

Blocked

Without an identity payload, the frontend cannot establish who is permitted to approve retry, cancel, or policy actions.

Required: GET /api/v1/identity

Open troubleshooting runbook to document the missing identity contract.

Role payload missing

Blocked

Without a role catalog, permission boundaries for escalation, security edits, and run intervention remain non-authoritative.

Required: GET /api/v1/roles

Required: PATCH /api/v1/roles/{id}

Keep mutation controls disabled and route operators to endpoint diagnostics.

Risk surface matrix

Why access controls stay blocked until identity contracts are live.

Retry run

high

Could relaunch evaluation with insufficient operator approval scope.

Prerequisite: GET /api/v1/identity and GET /api/v1/roles must confirm retry authority.

Cancel run

high

Could terminate an active run without an attributable operator identity.

Prerequisite: GET /api/v1/identity and GET /api/v1/roles must confirm cancellation authority.

Edit role

critical

Could widen permissions without an auditable source-of-truth role payload.

Prerequisite: GET /api/v1/roles and PATCH /api/v1/roles/{id} are required before any write.

Edit integrations

high

Could expose credential or rotation controls to an unverified role profile.

Prerequisite: Identity and role contracts must be available before enabling mutation controls.

Migration checklist

Steps required before access controls can be enabled.

1

Add identity endpoint

Return the active operator identity plus effective role hints.

GET /api/v1/identity

2

Add roles catalog endpoint

Return auditable role definitions and assignments.

GET /api/v1/roles

3

Add role patch endpoint

Implement conflict and audit semantics before enabling any write control.

PATCH /api/v1/roles/{id}

Track contracts in endpoint diagnostics and keep the operational fallback in Users and roles.