feat(permission): add AssignRole/AssignAdditionalPrivileges with conditions for Members, Identities, and Groups

[victorvhs017]

Context

This PR refactors project RBAC by introducing granular privilege actions and condition-based permission rules for Members, Identities, and Groups.

Before: Only GrantPrivileges existed, with no conditions or subject/action scoping.

After:

• New actions: AssignRole (role assignment) and AssignAdditionalPrivileges (subject:action scoping)
• Conditions: Member (email, role, subject, action), Identity (identityId, role, subject, action), Groups (groupName, role)
• Legacy: GrantPrivileges is deprecated; it cannot be combined with AssignRole or AssignAdditionalPrivileges
• Validation: Subject:action format ({subject}:{action}), forbidden subjects, and assignable subject allow-lists
• Additional privileges: Validation that the actor can grant each subject/action in the requested permissions

Screenshots

In the video below, I show all the new Actions set in a role called "test". Then I switch to another browser where I have a user with this test role. Check how the conditions set for him change what he can and cannot do regarding roles and additional privileges of Users, Machine Identities, and Groups.

Screenshare.-.2026-03-05.8_23_54.PM.mp4

Steps to verify the change

1. UI – allow/forbid:

   • Create/edit role with Member, Identity, and Group permissions.
   • Add conditions (email, role, subject, action) and verify allow/forbid behavior.
   • Confirm invalid combinations (e.g., Grant Privileges + Assign Role) are rejected.

2. Legacy actions:

   • Create/edit role with GrantPrivileges only.
   • Ensure existing roles that use GrantPrivileges still work.
   • Confirm Grant Privileges + Assign Role / Assign Additional Privileges is blocked.

3. API – user:

   • Create/update member/group memberships with AssignRole and AssignAdditionalPrivileges.
   • Verify condition-based restrictions (e.g., subject:action scoping).

4. API – machine identity:

   • Same flows for identities via AssignRole and AssignAdditionalPrivileges.
   • Verify condition validation and subject/action scoping.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR introduces granular privilege actions (AssignRole and AssignAdditionalPrivileges) and condition-based permission rules for Members, Identities, and Groups, replacing the broad GrantPrivileges legacy action. The refactor is well-structured: conditions are schema-validated, backward-compatibility with GrantPrivileges is maintained, the permission-service.ts fix correctly populates role.name/slug for preset roles so downstream guards work, and the hasDetailedConditions path properly prevents empty-payload authorization bypasses.

Key items worth addressing before merge:

• no-access role handling inconsistency — project-membership-user-factory.ts CREATE does not skip validation for the no-access role, while project-membership-identity-factory.ts and project-membership-group-factory.ts do. Now that the role.name fix makes those guards functional, assigning no-access to users incorrectly requires AssignRole/GrantPrivileges, while doing the same for identities and groups does not.
• Misleading error messages — When both AssignRole and the GrantPrivileges fallback fail, the error message always reports assign-role (hardcoded in constructPermissionErrorMessage), even though the last-checked action and its missingPermissions details may reflect grant-privileges. This affects all three membership factories.
• actorId naming in $validateAdditionalPrivilegesGuard — The parameter refers to the target entity (user/identity being modified), but the name actorId is conventionally reserved for the calling actor in this codebase, which can mislead future maintainers.
• Unsafe permissions as TPermissionRule[] cast — The cast proceeds without confirming the value is actually an array, risking a confusing runtime error if upstream schema validation ever allows a non-array shape.

Confidence Score: 3/5

• PR is mostly safe but has a behavioral inconsistency in no-access role handling for user memberships and misleading error messages that should be addressed before merge.
• The core privilege-boundary logic is sound and backward-compatible. The main concerns are: (1) a logic inconsistency where assigning the no-access role to users incorrectly requires AssignRole/GrantPrivileges while identity/group paths correctly skip that check, (2) error messages that conflate AssignRole and GrantPrivileges action names, and (3) minor naming/safety issues in the shared validation helper. None of these are exploitable security vulnerabilities, but the no-access discrepancy is a real behavioral regression for existing users who only hold the Edit permission on Members.
• Pay close attention to backend/src/services/membership-user/project/project-membership-user-factory.ts (missing no-access guard) and backend/src/services/additional-privilege/project/project-additional-privilege-factory.ts (actorId naming, unsafe cast).

Important Files Changed

Filename	Overview
backend/src/ee/services/permission/project-permission.ts	Adds AssignRole/AssignAdditionalPrivileges actions to Member, Identity, and Group enums; introduces MemberConditionSchema, updated IdentityManagementConditionSchema, and GroupConditionSchema with new subject/action condition fields; adds ActionAllowedConditions map scoping which conditions are permitted per action. Validation logic (refineSubjectActionConditions, validateAssignableActionFormat) is well-structured and reused via the shared refineSubjectActionConditions helper. Changes look correct.
backend/src/ee/services/permission/permission-fns.ts	Extends checkForInvalidPermissionCombination to block mixing GrantPrivileges with AssignRole/AssignAdditionalPrivileges. Adds optional subjectFields parameter to validatePrivilegeChangeOperation, enabling CASL subject-with-fields checks in the new privilege system. Logic is sound; the subject() call correctly falls back to the bare subject when no fields are provided.
backend/src/services/additional-privilege/project/project-additional-privilege-factory.ts	Major refactor: introduces checkPermissionConditions, hasUnrestrictedGrantPrivileges, validateGrantPrivilegeSubjectActionConditions, and the shared $validateAdditionalPrivilegesGuard helper for both CREATE and UPDATE paths. The actorId naming in $validateAdditionalPrivilegesGuard refers to the target entity (not the caller), which is confusing. The permissions parameter is cast to TPermissionRule[] without a runtime array check. Logic for the hasDetailedConditions branch correctly prevents empty-payload bypasses.
backend/src/services/membership-user/project/project-membership-user-factory.ts	CREATE guard gains an unconditional optimization (skip per-user loop if unrestricted), UPDATE guard now includes per-user subject fields. The user CREATE path is missing the no-access guard present in identity/group factories, which means assigning no-access requires AssignRole/GrantPrivileges for users but not identities or groups — likely unintentional inconsistency.
backend/src/services/membership-group/project/project-membership-group-factory.ts	Adds groupDAL dependency and fetches group details for condition-based role checks. Both CREATE and UPDATE guards follow the unconditional → conditional → legacy fallback pattern correctly. The error message always reports AssignRole even when the GrantPrivileges fallback was the last failing check, which can be confusing to callers.
backend/src/services/membership-identity/project/project-membership-identity-factory.ts	CREATE and UPDATE guards now check AssignRole with conditional identity fields (identityId, role slug) and fall back to GrantPrivileges. The NoAccess guard is correctly preserved in CREATE. Same error message inconsistency (always reports AssignRole) as in the group factory.
backend/src/ee/services/permission/permission-service.ts	Adds role: { name: el.name, slug: el.name } for preset roles in getProjectPermissionByRoles, fixing the broken role.name guard in downstream consumers and enabling slug-based condition checks for built-in roles.
backend/src/ee/services/permission/default-roles.ts	Additive only: adds AssignRole and AssignAdditionalPrivileges to the admin role for Member and Identity, and AssignRole to the admin role for Groups. No breaking changes; existing roles are unchanged.
docs/internals/permissions/project-permissions.mdx	Documents the new AssignRole and AssignAdditionalPrivileges actions for Members, Identities, and Groups, plus the deprecation notice for GrantPrivileges. Documentation is present and covers the new feature.
backend/src/server/routes/index.ts	Wires userDAL and identityDAL into the project additional privileges factory — straightforward dependency injection, no issues.

Comments Outside Diff (3)

1. backend/src/services/additional-privilege/project/project-additional-privilege-factory.ts, line 748 (link)

   actorId refers to the target entity, not the calling actor

   The parameter actorId (and the actorType alongside it) inside $validateAdditionalPrivilegesGuard refers to the target entity whose privileges are being created or updated — not the calling actor that is performing the operation. Throughout the rest of this codebase, actor consistently means the identity making the request (see OrgServiceActor, dto.permission). Reusing the same term for the target leads to immediate confusion, especially when both concepts appear in the same function body:

   // actorId is the CALLING actor in dto.permission, but…
   const membership = memberships.find(
     (el) => el[actorType === ActorType.IDENTITY ? "actorIdentityId" : "actorUserId"] === actorId
     //                                                                               ^^^^^^^^ this is the TARGET
   );

   Consider renaming the parameter to targetActorId / targetActorType so readers can immediately tell which side of the permission check they're looking at.

   _{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

2. backend/src/services/membership-user/project/project-membership-user-factory.ts, line 88-97 (link)

   no-access role included in privilege validation for user CREATE — inconsistent with identity/group factories

   In project-membership-identity-factory.ts and project-membership-group-factory.ts, the CREATE guard wraps the entire validation block with:

   if (permissionRole?.role?.name !== ProjectMembershipRole.NoAccess) {
     // validation ...
   }

   This guard is now functional because permission-service.ts was fixed to populate role: { name: el.name, slug: el.name } for preset roles.

   In contrast, this user CREATE path has no such guard: when no-access is included in dto.data.roles, the code proceeds to check whether the calling actor has AssignRole/GrantPrivileges on Member for it — even though assigning the no-access role grants no privileges and should require no boundary check. An actor with only Edit on Member (but not AssignRole/GrantPrivileges) could assign no-access to identities and groups but not to users, which is confusing and likely unintentional.

3. backend/src/services/additional-privilege/project/project-additional-privilege-factory.ts, line 623 (link)

   Unsafe as TPermissionRule[] cast without runtime type guard

   permissions arrives as unknown (from dto.data.permissions) and is immediately cast:

   const permissionRules = permissions as TPermissionRule[];

   The for...of loop below assumes this is iterable and that each element has .subject, .action, and .conditions properties of the expected shapes. If permissions is ever an object (not an array) or contains entries with unexpected shapes, this will either throw a confusing runtime error or silently skip validation.

   Since the value comes from user-supplied DTO data that has presumably been validated by a Zod schema upstream, this is low-risk in the happy path. However, adding a simple runtime guard (if (!Array.isArray(permissions))) before the cast and loop would make the failure mode explicit and predictable rather than a silent mismatch.

_{Last reviewed commit: ca2dd61}

[victorvhs017]

@greptileai re-review and update the summary

[victorvhs017]

@greptileai re-review and update the summary

[victorvhs017]

@greptileai re-review and update summary

[victorvhs017]

@greptileai re-review and update the summary

[victorvhs017]

@greptileai re-review and update summary

[linear]

SECRETS-23 Add role-based conditions to access control policy for actions

ENG-4662 Scope access for User Management “Assume Privilege” action

[akhilmhdh]

Pending application testing

[akhilmhdh]

Instead of memoing permission each time - why not a single memo for the whole thing and return a object contains all the properties

[victorvhs017]

Just to clarify, do you mean having all these 3 useMemos, for example:

In one big useMemo that returns 3 objects?

If that's the suggestion, I don't think it's a good optimization due to the dependency arrays being different.

[akhilmhdh]

Same comment - instead of memoing permission each time, one single memo with various props as keys

[akhilmhdh]

Like wise everywhere we are doing memo

[akhilmhdh]

Just some minor ux issues in application testing. Rest looks good @victorvhs017

One main one is error message for assign role. The additional privilege one has spot on error message. The assign role is a bit misleading

[akhilmhdh]

Application testing feedback

I feel like the message could cause confusion. Because i had assign role and just was condition only on those one. It works correctly, just the UI

[victorvhs017]

I tried to make this more generic, including the conditions. What do you think?

Refactoring the error with a detailed message on which condition failed and why would be a big change.

[akhilmhdh]

Same in groups. I had permission for assignRole but the error said is not having it.