refactor(rbac): drop usage of old membership roles in rbac api

Author: jordan-umusu

frontend/src/client/schemas.gen.ts

@@ -10536,7 +10536,15 @@ export const $OrgMemberRead = {
       title: "Email",
     },
     role: {
-      $ref: "#/components/schemas/OrgRole",
+      anyOf: [
+        {
+          type: "string",
+        },
+        {
+          type: "null",
+        },
+      ],
+      title: "Role",
     },
     is_active: {
       type: "boolean",
@@ -14512,9 +14520,9 @@ export const $ScopeRead = {
 
 export const $ScopeSource = {
   type: "string",
-  enum: ["system", "registry", "custom"],
+  enum: ["platform", "custom"],
   title: "ScopeSource",
-  description: "Source of a scope definition.",
+  description: "Source/ownership of a scope definition.",
 } as const
 
 export const $SecretCreate = {
@@ -18171,38 +18179,6 @@ export const $UserScopesRead = {
       title: "Scopes",
       description: "List of effective scope strings for the user",
     },
-    org_role_scopes: {
-      items: {
-        type: "string",
-      },
-      type: "array",
-      title: "Org Role Scopes",
-      description: "Scopes from organization role",
-    },
-    workspace_role_scopes: {
-      items: {
-        type: "string",
-      },
-      type: "array",
-      title: "Workspace Role Scopes",
-      description: "Scopes from workspace role",
-    },
-    group_scopes: {
-      items: {
-        type: "string",
-      },
-      type: "array",
-      title: "Group Scopes",
-      description: "Scopes from group memberships",
-    },
-    user_role_scopes: {
-      items: {
-        type: "string",
-      },
-      type: "array",
-      title: "User Role Scopes",
-      description: "Scopes from direct user role assignments",
-    },
   },
   type: "object",
   required: ["scopes"],

frontend/src/client/services.gen.ts

@@ -40,6 +40,8 @@ import type {
   AdminListOrgRepositoriesResponse,
   AdminListOrgRepositoryVersionsData,
   AdminListOrgRepositoryVersionsResponse,
+  AdminListOrgTiersData,
+  AdminListOrgTiersResponse,
   AdminListTiersData,
   AdminListTiersResponse,
   AdminListUsersResponse,
@@ -4363,6 +4365,29 @@ export const adminCreateTier = (
   })
 }
 
+/**
+ * List Org Tiers
+ * List tier assignments for organizations.
+ * @param data The data for the request.
+ * @param data.orgIds Optional list of organization IDs to filter results
+ * @returns OrganizationTierRead Successful Response
+ * @throws ApiError
+ */
+export const adminListOrgTiers = (
+  data: AdminListOrgTiersData = {}
+): CancelablePromise<AdminListOrgTiersResponse> => {
+  return __request(OpenAPI, {
+    method: "GET",
+    url: "/admin/tiers/organizations",
+    query: {
+      org_ids: data.orgIds,
+    },
+    errors: {
+      422: "Validation Error",
+    },
+  })
+}
+
 /**
  * Get Tier
  * Get tier by ID.
@@ -8424,13 +8449,8 @@ export const vcsGetGithubAppCredentialsStatus =
  * Get My Scopes
  * Get the current user's effective scopes.
  *
- * Returns a breakdown of scopes by source:
- * - org_role_scopes: From org membership role (OWNER/ADMIN/MEMBER)
- * - workspace_role_scopes: From workspace membership role (if in workspace context)
- * - group_scopes: From group memberships and their role assignments (EE only)
- * - user_role_scopes: From direct user role assignments (EE only)
- *
- * The combined `scopes` list is what's actually used for authorization.
+ * Scopes are computed from DB-driven role assignments during auth
+ * (UserRoleAssignment + GroupRoleAssignment → Role → RoleScope → Scope).
  * @returns UserScopesRead Successful Response
  * @throws ApiError
  */

frontend/src/client/types.gen.ts

@@ -3389,7 +3389,7 @@ export type OrgMemberRead = {
   first_name: string | null
   last_name: string | null
   email: string
-  role: OrgRole
+  role: string | null
   is_active: boolean
   is_superuser: boolean
   is_verified: boolean
@@ -4601,9 +4601,9 @@ export type ScopeRead = {
 }
 
 /**
- * Source of a scope definition.
+ * Source/ownership of a scope definition.
  */
-export type ScopeSource = "system" | "registry" | "custom"
+export type ScopeSource = "platform" | "custom"
 
 /**
  * Create a new secret.
@@ -5761,22 +5761,6 @@ export type UserScopesRead = {
    * List of effective scope strings for the user
    */
   scopes: Array<string>
-  /**
-   * Scopes from organization role
-   */
-  org_role_scopes?: Array<string>
-  /**
-   * Scopes from workspace role
-   */
-  workspace_role_scopes?: Array<string>
-  /**
-   * Scopes from group memberships
-   */
-  group_scopes?: Array<string>
-  /**
-   * Scopes from direct user role assignments
-   */
-  user_role_scopes?: Array<string>
 }
 
 export type UserUpdate = {
@@ -7717,6 +7701,15 @@ export type AdminCreateTierData = {
 
 export type AdminCreateTierResponse = TierRead
 
+export type AdminListOrgTiersData = {
+  /**
+   * Optional list of organization IDs to filter results
+   */
+  orgIds?: Array<string> | null
+}
+
+export type AdminListOrgTiersResponse = Array<OrganizationTierRead>
+
 export type AdminGetTierData = {
   tierId: string
 }
@@ -11169,6 +11162,21 @@ export type $OpenApiTs = {
       }
     }
   }
+  "/admin/tiers/organizations": {
+    get: {
+      req: AdminListOrgTiersData
+      res: {
+        /**
+         * Successful Response
+         */
+        200: Array<OrganizationTierRead>
+        /**
+         * Validation Error
+         */
+        422: HTTPValidationError
+      }
+    }
+  }
   "/admin/tiers/{tier_id}": {
     get: {
       req: AdminGetTierData

packages/tracecat-ee/tracecat_ee/rbac/service.py

@@ -12,8 +12,8 @@
 from tracecat.authz.enums import ScopeSource
 from tracecat.db.models import (
     Group,
-    GroupAssignment,
     GroupMember,
+    GroupRoleAssignment,
     OrganizationMembership,
     RoleScope,
     Scope,
@@ -256,7 +256,7 @@ async def delete_role(self, role_id: UserID) -> None:
             raise TracecatAuthorizationError("Cannot delete system roles")
 
         # Check if role is in use by any group assignments
-        stmt = select(func.count()).where(GroupAssignment.role_id == role_id)
+        stmt = select(func.count()).where(GroupRoleAssignment.role_id == role_id)
         result = await self.session.execute(stmt)
         group_count = result.scalar() or 0
         if group_count > 0:
@@ -438,38 +438,38 @@ async def list_assignments(
         *,
         group_id: UserID | None = None,
         workspace_id: WorkspaceID | None = None,
-    ) -> Sequence[GroupAssignment]:
+    ) -> Sequence[GroupRoleAssignment]:
         """List group assignments for the organization."""
         stmt = (
-            select(GroupAssignment)
-            .where(GroupAssignment.organization_id == self.organization_id)
+            select(GroupRoleAssignment)
+            .where(GroupRoleAssignment.organization_id == self.organization_id)
             .options(
-                selectinload(GroupAssignment.group),
-                selectinload(GroupAssignment.role),
-                selectinload(GroupAssignment.workspace),
+                selectinload(GroupRoleAssignment.group),
+                selectinload(GroupRoleAssignment.role),
+                selectinload(GroupRoleAssignment.workspace),
             )
         )
 
         if group_id is not None:
-            stmt = stmt.where(GroupAssignment.group_id == group_id)
+            stmt = stmt.where(GroupRoleAssignment.group_id == group_id)
         if workspace_id is not None:
-            stmt = stmt.where(GroupAssignment.workspace_id == workspace_id)
+            stmt = stmt.where(GroupRoleAssignment.workspace_id == workspace_id)
 
         result = await self.session.execute(stmt)
         return result.scalars().all()
 
-    async def get_assignment(self, assignment_id: UserID) -> GroupAssignment:
+    async def get_assignment(self, assignment_id: UserID) -> GroupRoleAssignment:
         """Get a group assignment by ID."""
         stmt = (
-            select(GroupAssignment)
+            select(GroupRoleAssignment)
             .where(
-                GroupAssignment.id == assignment_id,
-                GroupAssignment.organization_id == self.organization_id,
+                GroupRoleAssignment.id == assignment_id,
+                GroupRoleAssignment.organization_id == self.organization_id,
             )
             .options(
-                selectinload(GroupAssignment.group),
-                selectinload(GroupAssignment.role),
-                selectinload(GroupAssignment.workspace),
+                selectinload(GroupRoleAssignment.group),
+                selectinload(GroupRoleAssignment.role),
+                selectinload(GroupRoleAssignment.workspace),
             )
         )
         result = await self.session.execute(stmt)
@@ -485,7 +485,7 @@ async def create_assignment(
         group_id: UserID,
         role_id: UserID,
         workspace_id: WorkspaceID | None = None,
-    ) -> GroupAssignment:
+    ) -> GroupRoleAssignment:
         """Create a group assignment.
 
         Args:
@@ -494,7 +494,7 @@ async def create_assignment(
             workspace_id: Workspace for workspace-level assignment (None for org-wide)
 
         Returns:
-            Created GroupAssignment
+            Created GroupRoleAssignment
         """
         # Verify group exists
         await self.get_group(group_id)
@@ -512,7 +512,7 @@ async def create_assignment(
             if result.scalar_one_or_none() is None:
                 raise TracecatNotFoundError("Workspace not found")
 
-        assignment = GroupAssignment(
+        assignment = GroupRoleAssignment(
             organization_id=self.organization_id,
             group_id=group_id,
             role_id=role_id,
@@ -534,7 +534,7 @@ async def update_assignment(
         assignment_id: UserID,
         *,
         role_id: UserID,
-    ) -> GroupAssignment:
+    ) -> GroupRoleAssignment:
         """Update a group assignment (change role)."""
         assignment = await self.get_assignment(assignment_id)
 
@@ -759,13 +759,13 @@ async def get_group_scopes(
             Frozenset of scope name strings
         """
         # Query to get all scope names from user's group memberships and role assignments
-        # This joins: GroupMember -> Group -> GroupAssignment -> Role -> RoleScope -> Scope
+        # This joins: GroupMember -> Group -> GroupRoleAssignment -> Role -> RoleScope -> Scope
         stmt = (
             select(Scope.name)
             .select_from(GroupMember)
             .join(Group, GroupMember.group_id == Group.id)
-            .join(GroupAssignment, GroupAssignment.group_id == Group.id)
-            .join(RoleModel, GroupAssignment.role_id == RoleModel.id)
+            .join(GroupRoleAssignment, GroupRoleAssignment.group_id == Group.id)
+            .join(RoleModel, GroupRoleAssignment.role_id == RoleModel.id)
             .join(RoleScope, RoleScope.role_id == RoleModel.id)
             .join(Scope, RoleScope.scope_id == Scope.id)
             .where(
@@ -779,12 +779,12 @@ async def get_group_scopes(
         # - Workspace-specific assignments only apply if requesting that workspace
         if workspace_id is not None:
             stmt = stmt.where(
-                (GroupAssignment.workspace_id.is_(None))
-                | (GroupAssignment.workspace_id == workspace_id)
+                (GroupRoleAssignment.workspace_id.is_(None))
+                | (GroupRoleAssignment.workspace_id == workspace_id)
             )
         else:
             # Only org-wide assignments
-            stmt = stmt.where(GroupAssignment.workspace_id.is_(None))
+            stmt = stmt.where(GroupRoleAssignment.workspace_id.is_(None))
 
         result = await self.session.execute(stmt)
         scope_names = result.scalars().all()

tests/unit/test_rbac_service.py

@@ -78,7 +78,7 @@ async def seeded_scopes(session: AsyncSession) -> list[Scope]:
     """Seed system scopes and return them."""
     await seed_system_scopes(session)
     result = await session.execute(
-        select(Scope).where(Scope.source == ScopeSource.SYSTEM)
+        select(Scope).where(Scope.source == ScopeSource.PLATFORM)
     )
     return list(result.scalars().all())
 
@@ -124,9 +124,9 @@ async def test_list_scopes_filter_by_source(
         """List scopes can filter by source."""
         service = RBACService(session, role=role)
         scopes = await service.list_scopes(
-            include_system=True, source=ScopeSource.SYSTEM
+            include_system=True, source=ScopeSource.PLATFORM
         )
-        assert all(s.source == ScopeSource.SYSTEM for s in scopes)
+        assert all(s.source == ScopeSource.PLATFORM for s in scopes)
 
     async def test_create_custom_scope(
         self,