refactor(rbac): drop use of access_level app-wide

Author: jordan-umusu

frontend/src/app/auth/saml/acs/route.ts

@@ -39,7 +39,6 @@ export async function POST(request: NextRequest) {
     "x-tracecat-service-key": process.env.TRACECAT__SERVICE_KEY!,
     "x-tracecat-role-type": "service",
     "x-tracecat-role-service-id": "tracecat-ui",
-    "x-tracecat-role-access-level": "BASIC",
   }
   console.log("Headers", headers)
   const backendResponse = await fetch(backendUrl.toString(), {

frontend/src/client/schemas.gen.ts

@@ -1,14 +1,9 @@
 // This file is auto-generated by @hey-api/openapi-ts
 
 export const $AccessLevel = {
-  type: "integer",
-  enum: [0, 999],
+  type: "string",
+  enum: ["BASIC", "ADMIN"],
   title: "AccessLevel",
-  description: `Access control levels for roles.
-
-.. deprecated::
-    Use \`require_org_roles\` in RoleACL or \`@require_org_role\` decorator instead.
-    This enum will be removed in a future version.`,
 } as const
 
 export const $ActionChange = {
@@ -13540,10 +13535,6 @@ export const $Role = {
       ],
       title: "User Id",
     },
-    access_level: {
-      $ref: "#/components/schemas/AccessLevel",
-      default: 0,
-    },
     service_id: {
       type: "string",
       enum: [
@@ -13562,6 +13553,10 @@ export const $Role = {
       ],
       title: "Service Id",
     },
+    access_level: {
+      $ref: "#/components/schemas/AccessLevel",
+      default: "BASIC",
+    },
     is_platform_superuser: {
       type: "boolean",
       title: "Is Platform Superuser",
@@ -13734,7 +13729,7 @@ export const $RoleReadWithScopes = {
     is_system: {
       type: "boolean",
       title: "Is System",
-      description: "Whether this is a system role (admin, editor, viewer).",
+      description: "Whether this is a preset/system role.",
       readOnly: true,
     },
   },

frontend/src/client/types.gen.ts

@@ -1,13 +1,6 @@
 // This file is auto-generated by @hey-api/openapi-ts
 
-/**
- * Access control levels for roles.
- *
- * .. deprecated::
- * Use `require_org_roles` in RoleACL or `@require_org_role` decorator instead.
- * This enum will be removed in a future version.
- */
-export type AccessLevel = 0 | 999
+export type AccessLevel = "BASIC" | "ADMIN"
 
 /**
  * Describes a change to an action between two versions.
@@ -4328,7 +4321,6 @@ export type Role = {
   workspace_role?: WorkspaceRole | null
   org_role?: OrgRole | null
   user_id?: string | null
-  access_level?: AccessLevel
   service_id:
     | "tracecat-api"
     | "tracecat-bootstrap"
@@ -4342,6 +4334,7 @@ export type Role = {
     | "tracecat-schedule-runner"
     | "tracecat-service"
     | "tracecat-ui"
+  access_level?: AccessLevel
   is_platform_superuser?: boolean
   scopes?: Array<string>
 }
@@ -4402,7 +4395,7 @@ export type RoleReadWithScopes = {
   created_by?: string | null
   scopes?: Array<ScopeRead>
   /**
-   * Whether this is a system role (admin, editor, viewer).
+   * Whether this is a preset/system role.
    */
   readonly is_system: boolean
 }

packages/tracecat-admin/tracecat_admin/client.py

@@ -63,7 +63,6 @@ async def __aenter__(self) -> AdminClient:
                 headers={
                     "x-tracecat-service-key": self._config.service_key,
                     "x-tracecat-role-service-id": "tracecat-admin-cli",
-                    "x-tracecat-role-access-level": "ADMIN",
                     "Content-Type": "application/json",
                 },
                 timeout=30.0,

packages/tracecat-ee/tracecat_ee/admin/organizations/service.py

@@ -10,7 +10,7 @@
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm import selectinload
 
-from tracecat.auth.types import AccessLevel, Role
+from tracecat.auth.types import Role
 from tracecat.db.models import (
     Organization,
     RegistryRepository,
@@ -157,7 +157,6 @@ async def sync_org_repository(
         # Create a role for the org
         org_role = Role(
             type="service",
-            access_level=AccessLevel.ADMIN,
             service_id="tracecat-service",
             organization_id=org_id,
         )

packages/tracecat-ee/tracecat_ee/rbac/schemas.py

@@ -8,6 +8,11 @@
 from pydantic import BaseModel, ConfigDict, Field, computed_field
 
 from tracecat.authz.enums import ScopeSource
+from tracecat.authz.scopes import PRESET_ROLE_SCOPES
+
+SYSTEM_ROLE_SLUGS = frozenset(PRESET_ROLE_SCOPES) | frozenset(
+    {"admin", "editor", "viewer"}
+)
 
 # =============================================================================
 # Scope Schemas
@@ -75,8 +80,8 @@ class RoleRead(BaseModel):
     @computed_field
     @property
     def is_system(self) -> bool:
-        """Whether this is a system role (admin, editor, viewer)."""
-        return self.slug in {"admin", "editor", "viewer"}
+        """Whether this is a preset/system role."""
+        return self.slug in SYSTEM_ROLE_SLUGS
 
 
 class RoleReadWithScopes(RoleRead):

packages/tracecat-ee/tracecat_ee/rbac/service.py

@@ -10,6 +10,7 @@
 from tracecat.audit.logger import audit_log
 from tracecat.authz.controls import validate_scope_string
 from tracecat.authz.enums import ScopeSource
+from tracecat.authz.scopes import PRESET_ROLE_SCOPES
 from tracecat.db.models import (
     Group,
     GroupMember,
@@ -37,6 +38,9 @@ class RBACService(BaseOrgService):
     """Service for managing RBAC entities and computing effective scopes."""
 
     service_name = "rbac"
+    _PROTECTED_ROLE_SLUGS = frozenset(PRESET_ROLE_SCOPES) | frozenset(
+        {"admin", "editor", "viewer"}
+    )
 
     # =========================================================================
     # Scope Management
@@ -223,12 +227,12 @@ async def update_role(
     ) -> RoleModel:
         """Update a role.
 
-        System roles (admin, editor, viewer) cannot have their scopes modified.
+        Preset roles cannot have their scopes modified.
         """
         role = await self.get_role(role_id)
 
-        # System roles cannot have scopes modified
-        if role.slug in {"admin", "editor", "viewer"} and scope_ids is not None:
+        # Preset roles cannot have scopes modified
+        if role.slug in self._PROTECTED_ROLE_SLUGS and scope_ids is not None:
             raise TracecatAuthorizationError("Cannot modify scopes of system roles")
 
         if name is not None:
@@ -247,12 +251,12 @@ async def update_role(
     async def delete_role(self, role_id: UserID) -> None:
         """Delete a role.
 
-        System roles (admin, editor, viewer) cannot be deleted.
+        Preset roles cannot be deleted.
         """
         role = await self.get_role(role_id)
 
-        # System roles cannot be deleted
-        if role.slug in {"admin", "editor", "viewer"}:
+        # Preset roles cannot be deleted
+        if role.slug in self._PROTECTED_ROLE_SLUGS:
             raise TracecatAuthorizationError("Cannot delete system roles")
 
         # Check if role is in use by any group assignments

tests/registry/test_cases_characterization.py

@@ -60,7 +60,7 @@
 from tracecat.api.app import app
 from tracecat.auth.dependencies import (
     ExecutorWorkspaceRole,
-    OrgAdminUser,
+    OrgUserRole,
     ServiceRole,
     WorkspaceUserRole,
 )
@@ -149,7 +149,7 @@ def override_role():
         WorkspaceUser,
         WorkspaceAdminUser,
         ServiceRole,
-        OrgAdminUser,
+        OrgUserRole,
     ]
     for annotated_type in role_dependencies:
         metadata = get_args(annotated_type)

tests/unit/api/conftest.py

@@ -13,13 +13,16 @@
 )
 from tracecat.api.app import app
 from tracecat.auth.credentials import SuperuserRole
-from tracecat.auth.dependencies import ExecutorWorkspaceRole, WorkspaceUserRole
+from tracecat.auth.dependencies import (
+    ExecutorWorkspaceRole,
+    OrgUserRole,
+    WorkspaceUserRole,
+)
 from tracecat.auth.types import Role
 from tracecat.cases.router import WorkspaceUser
 from tracecat.contexts import ctx_role
 from tracecat.db.engine import get_async_session
 from tracecat.secrets.router import (
-    OrgAdminUser,
     WorkspaceAdminUser,
 )
 from tracecat.secrets.router import (
@@ -63,7 +66,7 @@ def client() -> Generator[TestClient, None, None]:
         OrganizationAdminUserRole,
         SecretsWorkspaceUser,
         WorkspaceAdminUser,
-        OrgAdminUser,
+        OrgUserRole,
         TablesWorkspaceUser,
         TablesWorkspaceEditorUser,
     ]

tests/unit/test_auth_middleware.py

@@ -175,8 +175,6 @@ async def mock_list_user_memberships(user_id):
         allow_user=True,
         allow_service=False,
         require_workspace="yes",
-        min_access_level=None,
-        require_workspace_roles=None,
     )
 
     assert db_call_count == 1  # First call triggers DB query
@@ -191,8 +189,6 @@ async def mock_list_user_memberships(user_id):
         allow_user=True,
         allow_service=False,
         require_workspace="yes",
-        min_access_level=None,
-        require_workspace_roles=None,
     )
 
     assert db_call_count == 1  # Still only 1 DB call - used cache!
@@ -275,8 +271,6 @@ async def time_auth_check(user, use_cache=True):
             allow_user=True,
             allow_service=False,
             require_workspace="yes",
-            min_access_level=None,
-            require_workspace_roles=None,
         )
         end = time.perf_counter()
 
@@ -423,8 +417,6 @@ async def test_cache_user_id_validation():
             "allow_user": True,
             "allow_service": False,
             "require_workspace": "yes",
-            "min_access_level": None,
-            "require_workspace_roles": None,
         }
 
         # First check with user1 - should populate cache
@@ -516,8 +508,6 @@ async def test_cache_size_limit():
             allow_user=True,
             allow_service=False,
             require_workspace="yes",
-            min_access_level=None,
-            require_workspace_roles=None,
         )
 
         # Verify cache was NOT populated due to size limit
@@ -586,8 +576,6 @@ async def test_organization_id_populated_when_require_workspace_no(mocker):
         allow_user=True,
         allow_service=False,
         require_workspace="no",
-        min_access_level=None,
-        require_workspace_roles=None,
     )
 
     # Verify organization_id was inferred from the user's OrganizationMembership
@@ -652,8 +640,6 @@ async def test_role_dependency_infers_org_from_single_membership(
         allow_user=True,
         allow_service=False,
         require_workspace="no",
-        min_access_level=None,
-        require_workspace_roles=None,
     )
 
     assert role.organization_id == org.id
@@ -738,8 +724,6 @@ async def test_role_dependency_requires_workspace_for_multi_org(
             allow_user=True,
             allow_service=False,
             require_workspace="no",
-            min_access_level=None,
-            require_workspace_roles=None,
         )
 
     assert excinfo.value.status_code == status.HTTP_400_BAD_REQUEST