@@ -308,6 +308,55 @@ class ScopeType(enum.StrEnum):
308308GLOBAL_SCOPE_ID = "global"
309309
310310
311+ class RBACElementType (enum .StrEnum ):
312+ """Unified element type for the RBAC scope-entity relationship model.
313+
314+ Each value identifies an element in the RBAC permission hierarchy
315+ that can act as a scope (parent) or an entity (child) depending on
316+ the relationship direction.
317+
318+ This enum replaces the separate ``ScopeType`` and RBAC-subset of
319+ ``EntityType`` with a single unified type.
320+ """
321+
322+ # === Scope hierarchy ===
323+ DOMAIN = "domain"
324+ PROJECT = "project"
325+ USER = "user"
326+
327+ # === Root-query-enabled entities (scoped) ===
328+ SESSION = "session"
329+ VFOLDER = "vfolder"
330+ DEPLOYMENT = "deployment"
331+ MODEL_DEPLOYMENT = "model_deployment"
332+ KEYPAIR = "keypair"
333+ NOTIFICATION_CHANNEL = "notification_channel"
334+ NETWORK = "network"
335+ RESOURCE_GROUP = "resource_group"
336+ CONTAINER_REGISTRY = "container_registry"
337+ STORAGE_HOST = "storage_host"
338+ IMAGE = "image"
339+ ARTIFACT = "artifact"
340+ ARTIFACT_REGISTRY = "artifact_registry"
341+ SESSION_TEMPLATE = "session_template"
342+ APP_CONFIG = "app_config"
343+
344+ # === Root-query-enabled entities (superadmin-only) ===
345+ RESOURCE_PRESET = "resource_preset"
346+ USER_RESOURCE_POLICY = "user_resource_policy"
347+ KEYPAIR_RESOURCE_POLICY = "keypair_resource_policy"
348+ PROJECT_RESOURCE_POLICY = "project_resource_policy"
349+ ROLE = "role"
350+ AUDIT_LOG = "audit_log"
351+ EVENT_LOG = "event_log"
352+
353+ # === Auto-only entities used in permissions ===
354+ NOTIFICATION_RULE = "notification_rule"
355+
356+ # === Entity-level scopes (for entity-scope permissions) ===
357+ ARTIFACT_REVISION = "artifact_revision"
358+
359+
311360class RelationType (enum .StrEnum ):
312361 """Classification of parent-child entity edges in BEP-1048.
313362
0 commit comments