Infisical · victorvhs017 · Mar 4, 2026 · Mar 4, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/backend/src/ee/services/permission/default-roles.ts b/backend/src/ee/services/permission/default-roles.ts
@@ -181,6 +181,8 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionMemberActions.Delete,
       ProjectPermissionMemberActions.Read,
       ProjectPermissionMemberActions.GrantPrivileges,
+      ProjectPermissionMemberActions.AssignRole,
+      ProjectPermissionMemberActions.AssignAdditionalPrivileges,
       ProjectPermissionMemberActions.AssumePrivileges
     ],
     ProjectPermissionSub.Member
@@ -192,7 +194,8 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionGroupActions.Edit,
       ProjectPermissionGroupActions.Delete,
       ProjectPermissionGroupActions.Read,
-      ProjectPermissionGroupActions.GrantPrivileges
+      ProjectPermissionGroupActions.GrantPrivileges,
+      ProjectPermissionGroupActions.AssignRole
     ],
     ProjectPermissionSub.Groups
   );
@@ -204,6 +207,8 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionIdentityActions.Delete,
       ProjectPermissionIdentityActions.Read,
       ProjectPermissionIdentityActions.GrantPrivileges,
+      ProjectPermissionIdentityActions.AssignRole,
+      ProjectPermissionIdentityActions.AssignAdditionalPrivileges,
       ProjectPermissionIdentityActions.AssumePrivileges,
       ProjectPermissionIdentityActions.GetToken,
       ProjectPermissionIdentityActions.CreateToken,

diff --git a/backend/src/ee/services/permission/permission-fns.ts b/backend/src/ee/services/permission/permission-fns.ts
@@ -10,6 +10,9 @@ import { ActorAuthMethod, AuthMethod } from "@app/services/auth/auth-type";
 import { OrgPermissionSet } from "./org-permission";
 import {
   ActionAllowedConditions,
+  ProjectPermissionGroupActions,
+  ProjectPermissionIdentityActions,
+  ProjectPermissionMemberActions,
   ProjectPermissionSecretActions,
   ProjectPermissionSet,
   ProjectPermissionSub,
@@ -102,6 +105,69 @@ export function checkForInvalidPermissionCombination(permissions: z.infer<typeof
       }
     }
 
+    if (permission.subject === ProjectPermissionSub.Member) {
+      if (permission.action.includes(ProjectPermissionMemberActions.GrantPrivileges)) {
+        const hasAssignRole = permission.action.includes(ProjectPermissionMemberActions.AssignRole);
+        const hasAssignAdditionalPrivileges = permission.action.includes(
+          ProjectPermissionMemberActions.AssignAdditionalPrivileges
+        );
+
+        if (hasAssignRole || hasAssignAdditionalPrivileges) {
+          const hasBothNewActions = hasAssignRole && hasAssignAdditionalPrivileges;
+
+          throw new BadRequestError({
+            message: `You have selected Grant Privileges, and ${
+              hasBothNewActions
+                ? "both Assign Role and Assign Additional Privileges"
+                : hasAssignRole
+                  ? "Assign Role"
+                  : hasAssignAdditionalPrivileges
+                    ? "Assign Additional Privileges"
+                    : ""
+            }. You cannot select Assign Role or Assign Additional Privileges if you have selected Grant Privileges. The Grant Privileges permission is a legacy action which has been replaced by Assign Role and Assign Additional Privileges.`
+          });
+        }
+      }
+    }
+
+    if (permission.subject === ProjectPermissionSub.Identity) {
+      if (permission.action.includes(ProjectPermissionIdentityActions.GrantPrivileges)) {
+        const hasAssignRole = permission.action.includes(ProjectPermissionIdentityActions.AssignRole);
+        const hasAssignAdditionalPrivileges = permission.action.includes(
+          ProjectPermissionIdentityActions.AssignAdditionalPrivileges
+        );
+
+        if (hasAssignRole || hasAssignAdditionalPrivileges) {
+          const hasBothNewActions = hasAssignRole && hasAssignAdditionalPrivileges;
+
+          throw new BadRequestError({
+            message: `You have selected Grant Privileges, and ${
+              hasBothNewActions
+                ? "both Assign Role and Assign Additional Privileges"
+                : hasAssignRole
+                  ? "Assign Role"
+                  : hasAssignAdditionalPrivileges
+                    ? "Assign Additional Privileges"
+                    : ""
+            }. You cannot select Assign Role or Assign Additional Privileges if you have selected Grant Privileges. The Grant Privileges permission is a legacy action which has been replaced by Assign Role and Assign Additional Privileges.`
+          });
+        }
+      }
+    }
+
+    if (permission.subject === ProjectPermissionSub.Groups) {
+      if (permission.action.includes(ProjectPermissionGroupActions.GrantPrivileges)) {
+        const hasAssignRole = permission.action.includes(ProjectPermissionGroupActions.AssignRole);
+
+        if (hasAssignRole) {
+          throw new BadRequestError({
+            message:
+              "You have selected Grant Privileges and Assign Role. You cannot select Assign Role if you have selected Grant Privileges. The Grant Privileges permission is a legacy action which has been replaced by Assign Role."
+          });
+        }
+      }
+    }
+
     const subjectConditions = ActionAllowedConditions[permission.subject as ProjectPermissionSub];
     const permissionConditions = "conditions" in permission ? permission.conditions : undefined;
     if (permissionConditions && subjectConditions) {
@@ -190,10 +256,13 @@ const validatePrivilegeChangeOperation = (
   opAction: OrgPermissionSet[0] | ProjectPermissionSet[0],
   opSubject: OrgPermissionSet[1] | ProjectPermissionSet[1],
   actorPermission: MongoAbility,
-  managedPermission: MongoAbility
+  managedPermission: MongoAbility,
+  subjectFields?: Record<string, string | undefined>
 ) => {
   if (shouldUseNewPrivilegeSystem) {
-    if (actorPermission.can(opAction, opSubject)) {
+    const subjectToCheck = subjectFields ? subject(opSubject as string, subjectFields) : opSubject;
+
+    if (actorPermission.can(opAction, subjectToCheck)) {
       return {
         isValid: true,
         missingPermissions: []
@@ -223,7 +292,7 @@ const constructPermissionErrorMessage = (
 ) => {
   return `${baseMessage}${
     shouldUseNewPrivilegeSystem
-      ? `. Actor is missing permission ${opAction as string} on ${opSubject as string}`
+      ? `. Actor is missing permission to perform ${opAction as string} on ${opSubject as string}`
       : ". Actor privilege level is not high enough to perform this action"
   }`;
 };

diff --git a/backend/src/ee/services/permission/permission-service-types.ts b/backend/src/ee/services/permission/permission-service-types.ts
@@ -108,10 +108,10 @@ export type TPermissionServiceFactory = {
       permission: MongoAbility<ProjectPermissionSet, MongoQuery>;
       role?: {
         name: string;
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
         slug: string;
+        id?: string;
+        createdAt?: Date;
+        updatedAt?: Date;
         permissions?: unknown;
         description?: string | null | undefined;
       };

diff --git a/backend/src/ee/services/permission/permission-service.ts b/backend/src/ee/services/permission/permission-service.ts
@@ -678,7 +678,8 @@ export const permissionServiceFactory = ({
           {
             conditionsMatcher
           }
-        )
+        ),
+        role: { name: el.name, slug: el.name }
       };
     });
   };
-Original file line number
+Diff line change
@@ Expand Up / @@ -678,7 +678,8 @@ export const permissionServiceFactory = ({ @@
               {
                 conditionsMatcher
               }
-            )
+            ),
+            role: { name: el.name, slug: el.name }
           };
         });
       };
@@ Expand Down @@