refactor(rbac): unify scope presets

Author: jordan-umusu

tests/unit/test_rbac_scopes.py

@@ -20,7 +20,6 @@
     ORG_ADMIN_SCOPES,
     ORG_MEMBER_SCOPES,
     ORG_OWNER_SCOPES,
-    ORG_ROLE_SCOPES,
     PRESET_ROLE_SCOPES,
     VIEWER_SCOPES,
 )
@@ -200,10 +199,13 @@ def test_editor_includes_viewer(self):
     def test_admin_includes_editor(self):
         assert EDITOR_SCOPES.issubset(ADMIN_SCOPES)
 
-    def test_system_role_mapping(self):
+    def test_preset_role_mapping(self):
         assert PRESET_ROLE_SCOPES["workspace-viewer"] == VIEWER_SCOPES
         assert PRESET_ROLE_SCOPES["workspace-editor"] == EDITOR_SCOPES
         assert PRESET_ROLE_SCOPES["workspace-admin"] == ADMIN_SCOPES
+        assert PRESET_ROLE_SCOPES["organization-owner"] == ORG_OWNER_SCOPES
+        assert PRESET_ROLE_SCOPES["organization-admin"] == ORG_ADMIN_SCOPES
+        assert PRESET_ROLE_SCOPES["organization-member"] == ORG_MEMBER_SCOPES
 
 
 class TestOrgRoleScopes:
@@ -224,11 +226,6 @@ def test_admin_has_billing_read(self):
     def test_member_has_minimal_scopes(self):
         assert ORG_MEMBER_SCOPES == frozenset({"org:read", "org:member:read"})
 
-    def test_org_role_mapping(self):
-        assert ORG_ROLE_SCOPES["organization-owner"] == ORG_OWNER_SCOPES
-        assert ORG_ROLE_SCOPES["organization-admin"] == ORG_ADMIN_SCOPES
-        assert ORG_ROLE_SCOPES["organization-member"] == ORG_MEMBER_SCOPES
-
 
 class TestRequireScopeDecorator:
     """Tests for the @require_scope decorator."""

tracecat/authz/scopes.py

@@ -1,8 +1,6 @@
 """RBAC scope definitions for Tracecat.
 
-This module defines the default scope sets for:
-- System workspace roles (Viewer, Editor, Admin)
-- Organization roles (Owner, Admin, Member)
+This module defines the default scope sets for preset roles.
 
 Scopes follow the OAuth 2.0 format: `{resource}:{action}`
 
@@ -17,7 +15,7 @@
 from __future__ import annotations
 
 # =============================================================================
-# Viewer Role Scopes (read-only)
+# Workspace Role Scopes
 # =============================================================================
 
 VIEWER_SCOPES: frozenset[str] = frozenset(
@@ -33,10 +31,6 @@
     }
 )
 
-# =============================================================================
-# Editor Role Scopes (create/edit, no delete or admin)
-# =============================================================================
-
 EDITOR_SCOPES: frozenset[str] = VIEWER_SCOPES | frozenset(
     {
         "workflow:create",
@@ -56,10 +50,6 @@
     }
 )
 
-# =============================================================================
-# Admin Role Scopes (full workspace capabilities)
-# =============================================================================
-
 ADMIN_SCOPES: frozenset[str] = EDITOR_SCOPES | frozenset(
     {
         "workflow:delete",
@@ -80,22 +70,12 @@
     }
 )
 
-# =============================================================================
-# Preset Role -> Scope Set Mapping
-# =============================================================================
-
-PRESET_ROLE_SCOPES: dict[str, frozenset[str]] = {
-    "workspace-viewer": VIEWER_SCOPES,
-    "workspace-editor": EDITOR_SCOPES,
-    "workspace-admin": ADMIN_SCOPES,
-}
-
 # =============================================================================
 # Organization Role Scopes
 # =============================================================================
 
-# Note: Org OWNER/ADMIN roles grant implicit access to ALL workspaces in the org.
-# These scopes define WHAT they can do, not WHERE (tier determines container access).
+# Org OWNER/ADMIN roles grant implicit access to ALL workspaces in the org.
+# These scopes define WHAT they can do, not WHERE.
 
 ORG_OWNER_SCOPES: frozenset[str] = frozenset(
     {
@@ -220,10 +200,15 @@
 )
 
 # =============================================================================
-# Organization Role -> Scope Set Mapping
+# Preset Role -> Scope Set Mapping
 # =============================================================================
 
-ORG_ROLE_SCOPES: dict[str, frozenset[str]] = {
+PRESET_ROLE_SCOPES: dict[str, frozenset[str]] = {
+    # Workspace roles
+    "workspace-viewer": VIEWER_SCOPES,
+    "workspace-editor": EDITOR_SCOPES,
+    "workspace-admin": ADMIN_SCOPES,
+    # Organization roles
     "organization-owner": ORG_OWNER_SCOPES,
     "organization-admin": ORG_ADMIN_SCOPES,
     "organization-member": ORG_MEMBER_SCOPES,

tracecat/authz/seeding.py

@@ -17,14 +17,7 @@
 from sqlalchemy.dialects.postgresql import insert as pg_insert
 
 from tracecat.authz.enums import ScopeSource
-from tracecat.authz.scopes import (
-    ADMIN_SCOPES,
-    EDITOR_SCOPES,
-    ORG_ADMIN_SCOPES,
-    ORG_MEMBER_SCOPES,
-    ORG_OWNER_SCOPES,
-    VIEWER_SCOPES,
-)
+from tracecat.authz.scopes import PRESET_ROLE_SCOPES
 from tracecat.db.models import Organization, Role, RoleScope, Scope
 from tracecat.logger import logger
 
@@ -130,57 +123,43 @@
 # Preset Role Definitions
 # =============================================================================
 
-# All preset role slugs
-PRESET_ROLE_SLUGS: frozenset[str] = frozenset(
-    {"owner", "admin", "editor", "viewer", "member"}
-)
-
-# Preset role definitions: (slug, name, description, scopes)
-#
-# Roles can be assigned at org level (workspace_id=NULL) or workspace level (workspace_id set).
-# The same role can be used at both levels; the assignment context determines what access applies.
-#
-# Role hierarchy:
-# - owner: Organization owner with full control (org-level only)
-# - admin: Full administrative access (can be org-level or workspace-level)
-# - editor: Create/edit access without admin capabilities (workspace-level)
-# - viewer: Read-only access (workspace-level)
-# - member: Basic org membership without workspace access (org-level only)
-#
-# Note: The "admin" role combines org admin and workspace admin scopes since
-# it may be assigned at either level.
-PRESET_ROLE_DEFINITIONS: list[tuple[str, str, str, frozenset[str]]] = [
-    (
-        "owner",
-        "Owner",
-        "Full organization control",
-        ORG_OWNER_SCOPES,
-    ),
-    (
-        "admin",
-        "Admin",
-        "Full administrative access at organization or workspace level",
-        ADMIN_SCOPES | ORG_ADMIN_SCOPES,  # Combined for flexibility
+# Preset roles seeded per-organization.
+# Slugs match the keys in PRESET_ROLE_SCOPES from scopes.py.
+PRESET_ROLE_DEFINITIONS: dict[str, tuple[str, str, frozenset[str]]] = {
+    # slug → (name, description, scopes)
+    "workspace-viewer": (
+        "Viewer",
+        "Read-only access to workspace resources",
+        PRESET_ROLE_SCOPES["workspace-viewer"],
     ),
-    (
-        "editor",
+    "workspace-editor": (
         "Editor",
         "Create and edit resources, no delete or admin access",
-        EDITOR_SCOPES,
+        PRESET_ROLE_SCOPES["workspace-editor"],
     ),
-    (
-        "viewer",
-        "Viewer",
-        "Read-only access to workspace resources",
-        VIEWER_SCOPES,
+    "workspace-admin": (
+        "Admin",
+        "Full workspace capabilities",
+        PRESET_ROLE_SCOPES["workspace-admin"],
     ),
-    (
-        "member",
+    "organization-owner": (
+        "Owner",
+        "Full organization control",
+        PRESET_ROLE_SCOPES["organization-owner"],
+    ),
+    "organization-admin": (
+        "Admin",
+        "Organization admin without delete or billing manage",
+        PRESET_ROLE_SCOPES["organization-admin"],
+    ),
+    "organization-member": (
         "Member",
         "Basic organization membership",
-        ORG_MEMBER_SCOPES,
+        PRESET_ROLE_SCOPES["organization-member"],
     ),
-]
+}
+
+PRESET_ROLE_SLUGS: frozenset[str] = frozenset(PRESET_ROLE_DEFINITIONS)
 
 
 # =============================================================================
@@ -376,7 +355,7 @@ async def seed_system_roles_for_org(
     # Prepare role values with pre-generated IDs
     role_values = []
     role_id_by_slug: dict[str, UUID] = {}
-    for slug, name, description, _ in PRESET_ROLE_DEFINITIONS:
+    for slug, (name, description, _) in PRESET_ROLE_DEFINITIONS.items():
         role_id = uuid4()
         role_id_by_slug[slug] = role_id
         role_values.append(
@@ -401,15 +380,15 @@ async def seed_system_roles_for_org(
     # Re-query to get actual role IDs (may differ if roles already existed)
     existing_roles_stmt = select(Role.id, Role.slug).where(
         Role.organization_id == organization_id,
-        Role.slug.in_([slug for slug, _, _, _ in PRESET_ROLE_DEFINITIONS]),
+        Role.slug.in_(PRESET_ROLE_DEFINITIONS),
     )
     existing_roles_result = await session.execute(existing_roles_stmt)
     actual_role_id_by_slug: dict[str | None, UUID] = {
         slug: role_id for role_id, slug in existing_roles_result.tuples().all()
     }
 
     # Link scopes to roles
-    for slug, _, _, scope_names in PRESET_ROLE_DEFINITIONS:
+    for slug, (_, _, scope_names) in PRESET_ROLE_DEFINITIONS.items():
         role_id = actual_role_id_by_slug.get(slug)
         if role_id is None:
             logger.warning(