fix(rbac): expand scope definition for missing endpoints

Author: jordan-umusu

tracecat/agent/router.py

@@ -10,7 +10,7 @@
 )
 from tracecat.agent.service import AgentManagementService
 from tracecat.auth.credentials import RoleACL
-from tracecat.auth.types import AccessLevel, Role
+from tracecat.auth.types import Role
 from tracecat.authz.controls import require_scope
 from tracecat.db.dependencies import AsyncDBSession
 from tracecat.exceptions import TracecatNotFoundError
@@ -23,7 +23,6 @@
         allow_user=True,
         allow_service=False,
         require_workspace="no",
-        min_access_level=AccessLevel.ADMIN,
     ),
 ]
 

tracecat/authz/scopes.py

@@ -105,6 +105,9 @@
         # Org settings management
         "org:settings:read",
         "org:settings:manage",
+        # Registry management (org-level custom actions)
+        "org:registry:read",
+        "org:registry:manage",
         # Full workspace control across the org
         "workspace:read",
         "workspace:create",
@@ -149,6 +152,11 @@
         "secret:create",
         "secret:update",
         "secret:delete",
+        # Organization secrets (org-scoped, not workspace-scoped)
+        "org:secret:read",
+        "org:secret:create",
+        "org:secret:update",
+        "org:secret:delete",
         # Full action execution
         "action:*:execute",
     }
@@ -172,6 +180,9 @@
         # Org settings management
         "org:settings:read",
         "org:settings:manage",
+        # Registry management (org-level custom actions)
+        "org:registry:read",
+        "org:registry:manage",
         # Full workspace control across the org
         "workspace:read",
         "workspace:create",
@@ -216,6 +227,11 @@
         "secret:create",
         "secret:update",
         "secret:delete",
+        # Organization secrets (org-scoped, not workspace-scoped)
+        "org:secret:read",
+        "org:secret:create",
+        "org:secret:update",
+        "org:secret:delete",
         # Full action execution
         "action:*:execute",
     }

tracecat/registry/actions/router.py

@@ -3,7 +3,7 @@
 from tracecat_registry import RegistrySecret
 
 from tracecat.auth.credentials import RoleACL
-from tracecat.auth.types import AccessLevel, Role
+from tracecat.auth.types import Role
 from tracecat.authz.controls import require_scope
 from tracecat.db.dependencies import AsyncDBSession
 from tracecat.exceptions import RegistryError
@@ -21,7 +21,7 @@
 
 
 @router.get("")
-@require_scope("workflow:read")
+@require_scope("org:registry:read")
 async def list_registry_actions(
     *,
     role: Role = RoleACL(
@@ -45,7 +45,7 @@ async def list_registry_actions(
     response_model=RegistryActionRead,
     response_model_exclude_unset=True,
 )
-@require_scope("workflow:read")
+@require_scope("org:registry:read")
 async def get_registry_action(
     *,
     role: Role = RoleACL(
@@ -100,14 +100,13 @@ async def get_registry_action(
 
 
 @router.post("", status_code=status.HTTP_201_CREATED)
-@require_scope("org:settings:manage")
+@require_scope("org:registry:manage")
 async def create_registry_action(
     *,
     role: Role = RoleACL(
         allow_user=True,
         allow_service=False,
         require_workspace="no",
-        min_access_level=AccessLevel.ADMIN,
     ),
     session: AsyncDBSession,
     params: RegistryActionCreate,
@@ -130,14 +129,13 @@ async def create_registry_action(
 
 
 @router.patch("/{action_name}", status_code=status.HTTP_204_NO_CONTENT)
-@require_scope("org:settings:manage")
+@require_scope("org:registry:manage")
 async def update_registry_action(
     *,
     role: Role = RoleACL(
         allow_user=True,
         allow_service=False,
         require_workspace="no",
-        min_access_level=AccessLevel.ADMIN,
     ),
     session: AsyncDBSession,
     params: RegistryActionUpdate,
@@ -153,14 +151,13 @@ async def update_registry_action(
 
 
 @router.delete("/{action_name}", status_code=status.HTTP_204_NO_CONTENT)
-@require_scope("org:settings:manage")
+@require_scope("org:registry:manage")
 async def delete_registry_action(
     *,
     role: Role = RoleACL(
         allow_user=True,
         allow_service=False,
         require_workspace="no",
-        min_access_level=AccessLevel.ADMIN,
     ),
     session: AsyncDBSession,
     action_name: str,

tracecat/secrets/router.py

@@ -4,7 +4,7 @@
 from sqlalchemy.exc import IntegrityError
 
 from tracecat.auth.credentials import RoleACL
-from tracecat.auth.types import AccessLevel, Role
+from tracecat.auth.types import Role
 from tracecat.authz.controls import require_scope
 from tracecat.authz.enums import WorkspaceRole
 from tracecat.db.dependencies import AsyncDBSession
@@ -54,7 +54,6 @@
         allow_user=True,
         allow_service=False,
         require_workspace="no",
-        min_access_level=AccessLevel.ADMIN,
     ),
 ]
 
@@ -225,7 +224,7 @@ async def delete_secret_by_id(
 
 
 @org_router.get("")
-@require_scope("secret:read")
+@require_scope("org:secret:read")
 async def list_org_secrets(
     *,
     role: OrgAdminUser,
@@ -251,7 +250,7 @@ async def list_org_secrets(
 
 
 @org_router.get("/{secret_name}")
-@require_scope("secret:read")
+@require_scope("org:secret:read")
 async def get_org_secret_by_name(
     *,
     role: OrgAdminUser,
@@ -272,7 +271,7 @@ async def get_org_secret_by_name(
 
 
 @org_router.post("", status_code=status.HTTP_201_CREATED)
-@require_scope("secret:create")
+@require_scope("org:secret:create")
 async def create_org_secret(
     *,
     role: OrgAdminUser,
@@ -299,7 +298,7 @@ async def create_org_secret(
     "/{secret_id}",
     status_code=status.HTTP_204_NO_CONTENT,
 )
-@require_scope("secret:update")
+@require_scope("org:secret:update")
 async def update_org_secret_by_id(
     *,
     role: OrgAdminUser,
@@ -334,7 +333,7 @@ async def update_org_secret_by_id(
     "/{secret_id}",
     status_code=status.HTTP_204_NO_CONTENT,
 )
-@require_scope("secret:delete")
+@require_scope("org:secret:delete")
 async def delete_org_secret_by_id(
     *,
     role: OrgAdminUser,

tracecat/settings/router.py

@@ -5,7 +5,6 @@
 from tracecat.auth.credentials import RoleACL
 from tracecat.auth.dependencies import Role
 from tracecat.auth.enums import AuthType
-from tracecat.auth.types import AccessLevel
 from tracecat.authz.controls import require_scope
 from tracecat.config import SAML_PUBLIC_ACS_URL
 from tracecat.db.dependencies import AsyncDBSession
@@ -36,7 +35,6 @@
         allow_user=True,
         allow_service=False,
         require_workspace="no",
-        min_access_level=AccessLevel.ADMIN,
     ),
 ]