refactor(rbac): simplify action scopes

jordan-umusu · jordan-umusu · commit 4bbdaf1585c2 · 2026-02-04T11:07:55.000-05:00
diff --git a/alembic/versions/55c5d2499eee_add_rbac_tables.py b/alembic/versions/55c5d2499eee_add_rbac_tables.py
@@ -23,7 +23,7 @@
 
 def upgrade() -> None:
     # ### commands auto generated by Alembic - please adjust! ###
-    sa.Enum("SYSTEM", "REGISTRY", "CUSTOM", name="scopesource").create(op.get_bind())
+    sa.Enum("PLATFORM", "CUSTOM", name="scopesource").create(op.get_bind())
     op.create_table(
         "group",
         sa.Column("id", sa.UUID(), nullable=False),
@@ -116,7 +116,7 @@ def upgrade() -> None:
         sa.Column(
             "source",
             postgresql.ENUM(
-                "SYSTEM", "REGISTRY", "CUSTOM", name="scopesource", create_type=False
+                "PLATFORM", "CUSTOM", name="scopesource", create_type=False
             ),
             nullable=False,
         ),
@@ -400,5 +400,5 @@ def downgrade() -> None:
     op.drop_index(op.f("ix_group_organization_id"), table_name="group")
     op.drop_index(op.f("ix_group_name"), table_name="group")
     op.drop_table("group")
-    sa.Enum("SYSTEM", "REGISTRY", "CUSTOM", name="scopesource").drop(op.get_bind())
+    sa.Enum("PLATFORM", "CUSTOM", name="scopesource").drop(op.get_bind())
     # ### end Alembic commands ###
diff --git a/tracecat/authz/enums.py b/tracecat/authz/enums.py
@@ -14,11 +14,10 @@ class WorkspaceRole(StrEnum):
 
 
 class ScopeSource(StrEnum):
-    """Source of a scope definition."""
+    """Source/ownership of a scope definition."""
 
-    SYSTEM = "system"  # Built-in platform scopes (org/workspace/resources/RBAC admin)
-    REGISTRY = "registry"  # Derived from registry actions
-    CUSTOM = "custom"  # User-created scopes
+    PLATFORM = "platform"  # Platform-owned: core permissions + registry-derived
+    CUSTOM = "custom"  # Organization-defined scopes
 
 
 class OrgRole(StrEnum):
diff --git a/tracecat/db/models.py b/tracecat/db/models.py
@@ -3144,9 +3144,9 @@ class Scope(Base, TimestampMixin):
     Examples: workflow:read, org:member:invite, action:tools.okta.list_users:execute
 
     Scopes can be:
-    - System scopes (organization_id=NULL): Built-in platform scopes shared across all orgs
-    - Registry scopes (organization_id=NULL): Auto-generated from registry actions
-    - Custom scopes (organization_id=org_id): User-defined scopes for an organization
+    - Platform scopes (organization_id=NULL): Platform-owned scopes shared across all orgs.
+      Use `source_ref` for provenance (e.g., "core", "tracecat_registry", git URL).
+    - Custom scopes (organization_id=org_id): Organization-defined scopes.
     """
 
     __tablename__ = "scope"
