chore(rbac): drop role from membership and invitation tables

Author: jordan-umusu

alembic/versions/4bb7e59026f3_drop_role_from_membership_and_.py

@@ -0,0 +1,127 @@
+"""drop_role_from_membership_and_invitation_tables
+
+Revision ID: 4bb7e59026f3
+Revises: 8b630b0a094e
+Create Date: 2026-01-29 14:55:11.408522
+
+"""
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "4bb7e59026f3"
+down_revision: str | None = "8b630b0a094e"
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column("invitation", sa.Column("role_id", sa.UUID(), nullable=False))
+    op.create_index(
+        op.f("ix_invitation_role_id"), "invitation", ["role_id"], unique=False
+    )
+    op.create_foreign_key(
+        op.f("fk_invitation_role_id_role"),
+        "invitation",
+        "role",
+        ["role_id"],
+        ["id"],
+        ondelete="RESTRICT",
+    )
+    op.drop_column("invitation", "role")
+    op.drop_column("membership", "role")
+    op.add_column(
+        "organization_invitation", sa.Column("role_id", sa.UUID(), nullable=False)
+    )
+    op.create_index(
+        op.f("ix_organization_invitation_role_id"),
+        "organization_invitation",
+        ["role_id"],
+        unique=False,
+    )
+    op.create_foreign_key(
+        op.f("fk_organization_invitation_role_id_role"),
+        "organization_invitation",
+        "role",
+        ["role_id"],
+        ["id"],
+        ondelete="RESTRICT",
+    )
+    op.drop_column("organization_invitation", "role")
+    op.drop_column("organization_membership", "role")
+    sa.Enum("MEMBER", "ADMIN", "OWNER", name="orgrole").drop(op.get_bind())
+    sa.Enum("VIEWER", "EDITOR", "ADMIN", name="workspacerole").drop(op.get_bind())
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    sa.Enum("VIEWER", "EDITOR", "ADMIN", name="workspacerole").create(op.get_bind())
+    sa.Enum("MEMBER", "ADMIN", "OWNER", name="orgrole").create(op.get_bind())
+    op.add_column(
+        "organization_membership",
+        sa.Column(
+            "role",
+            postgresql.ENUM(
+                "MEMBER", "ADMIN", "OWNER", name="orgrole", create_type=False
+            ),
+            server_default=sa.text("'MEMBER'::orgrole"),
+            autoincrement=False,
+            nullable=False,
+        ),
+    )
+    op.add_column(
+        "organization_invitation",
+        sa.Column(
+            "role",
+            postgresql.ENUM(
+                "MEMBER", "ADMIN", "OWNER", name="orgrole", create_type=False
+            ),
+            autoincrement=False,
+            nullable=False,
+        ),
+    )
+    op.drop_constraint(
+        op.f("fk_organization_invitation_role_id_role"),
+        "organization_invitation",
+        type_="foreignkey",
+    )
+    op.drop_index(
+        op.f("ix_organization_invitation_role_id"), table_name="organization_invitation"
+    )
+    op.drop_column("organization_invitation", "role_id")
+    op.add_column(
+        "membership",
+        sa.Column(
+            "role",
+            postgresql.ENUM(
+                "VIEWER", "EDITOR", "ADMIN", name="workspacerole", create_type=False
+            ),
+            server_default=sa.text("'EDITOR'::workspacerole"),
+            autoincrement=False,
+            nullable=False,
+        ),
+    )
+    op.add_column(
+        "invitation",
+        sa.Column(
+            "role",
+            postgresql.ENUM(
+                "VIEWER", "EDITOR", "ADMIN", name="workspacerole", create_type=False
+            ),
+            autoincrement=False,
+            nullable=False,
+        ),
+    )
+    op.drop_constraint(
+        op.f("fk_invitation_role_id_role"), "invitation", type_="foreignkey"
+    )
+    op.drop_index(op.f("ix_invitation_role_id"), table_name="invitation")
+    op.drop_column("invitation", "role_id")
+    # ### end Alembic commands ###

frontend/src/client/schemas.gen.ts

@@ -9914,15 +9914,37 @@ export const $OrgInvitationCreate = {
       format: "email",
       title: "Email",
     },
-    role: {
-      $ref: "#/components/schemas/OrgRole",
-      default: "member",
+    role_id: {
+      anyOf: [
+        {
+          type: "string",
+          format: "uuid",
+        },
+        {
+          type: "null",
+        },
+      ],
+      title: "Role Id",
+    },
+    role_slug: {
+      anyOf: [
+        {
+          type: "string",
+        },
+        {
+          type: "null",
+        },
+      ],
+      title: "Role Slug",
     },
   },
   type: "object",
   required: ["email"],
   title: "OrgInvitationCreate",
-  description: "Request body for creating an organization invitation.",
+  description: `Request body for creating an organization invitation.
+
+Either role_id or role_slug must be provided to specify the role to grant.
+If both are provided, role_id takes precedence.`,
 } as const
 
 export const $OrgInvitationRead = {
@@ -9942,8 +9964,25 @@ export const $OrgInvitationRead = {
       format: "email",
       title: "Email",
     },
-    role: {
-      $ref: "#/components/schemas/OrgRole",
+    role_id: {
+      type: "string",
+      format: "uuid",
+      title: "Role Id",
+    },
+    role_slug: {
+      anyOf: [
+        {
+          type: "string",
+        },
+        {
+          type: "null",
+        },
+      ],
+      title: "Role Slug",
+    },
+    role_name: {
+      type: "string",
+      title: "Role Name",
     },
     status: {
       $ref: "#/components/schemas/InvitationStatus",
@@ -9988,7 +10027,9 @@ export const $OrgInvitationRead = {
     "id",
     "organization_id",
     "email",
-    "role",
+    "role_id",
+    "role_slug",
+    "role_name",
     "status",
     "invited_by",
     "expires_at",
@@ -10032,8 +10073,20 @@ export const $OrgInvitationReadMinimal = {
       ],
       title: "Inviter Email",
     },
-    role: {
-      $ref: "#/components/schemas/OrgRole",
+    role_slug: {
+      anyOf: [
+        {
+          type: "string",
+        },
+        {
+          type: "null",
+        },
+      ],
+      title: "Role Slug",
+    },
+    role_name: {
+      type: "string",
+      title: "Role Name",
     },
     status: {
       $ref: "#/components/schemas/InvitationStatus",
@@ -10061,7 +10114,8 @@ export const $OrgInvitationReadMinimal = {
     "organization_name",
     "inviter_name",
     "inviter_email",
-    "role",
+    "role_slug",
+    "role_name",
     "status",
     "expires_at",
   ],
@@ -10106,8 +10160,28 @@ export const $OrgMemberRead = {
       format: "email",
       title: "Email",
     },
-    role: {
-      $ref: "#/components/schemas/OrgRole",
+    role_id: {
+      anyOf: [
+        {
+          type: "string",
+          format: "uuid",
+        },
+        {
+          type: "null",
+        },
+      ],
+      title: "Role Id",
+    },
+    role_slug: {
+      anyOf: [
+        {
+          type: "string",
+        },
+        {
+          type: "null",
+        },
+      ],
+      title: "Role Slug",
     },
     is_active: {
       type: "boolean",
@@ -10140,7 +10214,8 @@ export const $OrgMemberRead = {
     "first_name",
     "last_name",
     "email",
-    "role",
+    "role_id",
+    "role_slug",
     "is_active",
     "is_superuser",
     "is_verified",

frontend/src/client/types.gen.ts

@@ -3200,10 +3200,14 @@ export type OrgInvitationAccept = {
 
 /**
  * Request body for creating an organization invitation.
+ *
+ * Either role_id or role_slug must be provided to specify the role to grant.
+ * If both are provided, role_id takes precedence.
  */
 export type OrgInvitationCreate = {
   email: string
-  role?: OrgRole
+  role_id?: string | null
+  role_slug?: string | null
 }
 
 /**
@@ -3213,7 +3217,9 @@ export type OrgInvitationRead = {
   id: string
   organization_id: string
   email: string
-  role: OrgRole
+  role_id: string
+  role_slug: string | null
+  role_name: string
   status: InvitationStatus
   invited_by: string | null
   expires_at: string
@@ -3232,7 +3238,8 @@ export type OrgInvitationReadMinimal = {
   organization_name: string
   inviter_name: string | null
   inviter_email: string | null
-  role: OrgRole
+  role_slug: string | null
+  role_name: string
   status: InvitationStatus
   expires_at: string
   email_matches?: boolean | null
@@ -3243,7 +3250,8 @@ export type OrgMemberRead = {
   first_name: string | null
   last_name: string | null
   email: string
-  role: OrgRole
+  role_id: string | null
+  role_slug: string | null
   is_active: boolean
   is_superuser: boolean
   is_verified: boolean

packages/tracecat-ee/tracecat_ee/admin/organizations/service.py

@@ -11,6 +11,7 @@
 from sqlalchemy.orm import selectinload
 
 from tracecat.auth.types import AccessLevel, Role
+from tracecat.authz.seeding import seed_system_roles_for_org
 from tracecat.db.models import (
     Organization,
     RegistryRepository,
@@ -47,6 +48,7 @@ async def create_organization(self, params: OrgCreate) -> OrgRead:
             name=params.name,
             slug=params.slug,
         )
+        await seed_system_roles_for_org(self.session, org.id)
         return OrgRead.model_validate(org)
 
     async def get_organization(self, org_id: uuid.UUID) -> OrgRead: