refactor(rbac): rename SYSTEM_ROLE_SCOPES to PRESET_ROLE_SCOPES

jordan-umusu · claude · jordan-umusu · commit 25cd48dde190 · 2026-01-30T14:16:23.000-05:00
Rename the workspace role scope mapping to better distinguish
between preset roles (seeded roles like viewer/editor/admin)
and custom roles created by users.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/tests/unit/test_rbac_scopes.py b/tests/unit/test_rbac_scopes.py
@@ -21,7 +21,7 @@
     ORG_MEMBER_SCOPES,
     ORG_OWNER_SCOPES,
     ORG_ROLE_SCOPES,
-    SYSTEM_ROLE_SCOPES,
+    PRESET_ROLE_SCOPES,
     VIEWER_SCOPES,
 )
 from tracecat.contexts import ctx_scopes
@@ -195,9 +195,9 @@ def test_admin_includes_editor(self):
         assert EDITOR_SCOPES.issubset(ADMIN_SCOPES)
 
     def test_system_role_mapping(self):
-        assert SYSTEM_ROLE_SCOPES[WorkspaceRole.VIEWER] == VIEWER_SCOPES
-        assert SYSTEM_ROLE_SCOPES[WorkspaceRole.EDITOR] == EDITOR_SCOPES
-        assert SYSTEM_ROLE_SCOPES[WorkspaceRole.ADMIN] == ADMIN_SCOPES
+        assert PRESET_ROLE_SCOPES[WorkspaceRole.VIEWER] == VIEWER_SCOPES
+        assert PRESET_ROLE_SCOPES[WorkspaceRole.EDITOR] == EDITOR_SCOPES
+        assert PRESET_ROLE_SCOPES[WorkspaceRole.ADMIN] == ADMIN_SCOPES
 
 
 class TestOrgRoleScopes:
diff --git a/tracecat/auth/credentials.py b/tracecat/auth/credentials.py
@@ -33,7 +33,7 @@
     optional_current_active_user,
 )
 from tracecat.authz.enums import OrgRole, WorkspaceRole
-from tracecat.authz.scopes import ORG_ROLE_SCOPES, SYSTEM_ROLE_SCOPES
+from tracecat.authz.scopes import ORG_ROLE_SCOPES, PRESET_ROLE_SCOPES
 from tracecat.authz.service import MembershipService, MembershipWithOrg
 from tracecat.contexts import ctx_role, ctx_scopes
 from tracecat.db.dependencies import AsyncDBSession
@@ -96,7 +96,7 @@ def compute_effective_scopes(role: Role) -> frozenset[str]:
 
     For workspace-scoped requests:
     - Org OWNER/ADMIN: org-level scopes (they can access all workspaces)
-    - Workspace members: workspace role scopes from SYSTEM_ROLE_SCOPES
+    - Workspace members: workspace role scopes from PRESET_ROLE_SCOPES
 
     Note: Group-based scopes will be added in PR 4 (RBAC Service & APIs).
     """
@@ -115,7 +115,7 @@ def compute_effective_scopes(role: Role) -> frozenset[str]:
         # Org admins/owners already have workspace scopes via their org role
         # Regular members need their workspace role scopes
         if role.org_role not in (OrgRole.OWNER, OrgRole.ADMIN):
-            scope_set |= SYSTEM_ROLE_SCOPES.get(role.workspace_role, set())
+            scope_set |= PRESET_ROLE_SCOPES.get(role.workspace_role, set())
 
     # Note: Group-based scopes (from group_assignment table) will be added in PR 4
     # via RBACService.get_group_scopes()
diff --git a/tracecat/authz/scopes.py b/tracecat/authz/scopes.py
@@ -83,10 +83,10 @@
 )
 
 # =============================================================================
-# System Role -> Scope Set Mapping
+# Preset Role -> Scope Set Mapping
 # =============================================================================
 
-SYSTEM_ROLE_SCOPES: dict[WorkspaceRole, frozenset[str]] = {
+PRESET_ROLE_SCOPES: dict[WorkspaceRole, frozenset[str]] = {
     WorkspaceRole.VIEWER: VIEWER_SCOPES,
     WorkspaceRole.EDITOR: EDITOR_SCOPES,
     WorkspaceRole.ADMIN: ADMIN_SCOPES,
