Add custom organization roles (manager, proctor, editor) #684
Description
Summary
The SSO app currently uses Better Auth's default organization roles (owner, admin, member). We need to add custom roles for more granular permissions.
Custom Roles Needed
- Manager - Can manage members and their roles
- Proctor - Can manage assessments and exams
- Editor - Can create and edit content
Technical Implementation
Better Auth supports custom roles via createAccessControl() and ac.newRole(). This requires:
- Create
src/lib/permissions.tswith static role definitions:
import { createAccessControl } from "better-auth/plugins/access";
const statement = {
organization: ["create", "update", "delete"],
member: ["create", "update", "delete"],
invitation: ["create", "cancel"],
content: ["create", "update", "delete"],
assessment: ["create", "update", "delete", "grade"],
} as const;
export const ac = createAccessControl(statement);
export const manager = ac.newRole({
organization: ["update"],
member: ["create", "update", "delete"],
invitation: ["create", "cancel"],
});
export const proctor = ac.newRole({
assessment: ["create", "update", "delete", "grade"],
});
export const editor = ac.newRole({
content: ["create", "update", "delete"],
});- Update
auth.tsto use the access control:
import { ac, manager, proctor, editor } from "./permissions";
organization({
ac,
roles: { manager, proctor, editor },
// ... existing config
})- Update UI components to use the full role set
Files to Modify
apps/sso/src/lib/auth.ts- Add access control configapps/sso/src/lib/permissions.ts- Create new fileapps/sso/src/types/organization.ts- Already has the typesapps/sso/src/app/account/organizations/[orgId]/settings/members/components/*.tsx- Enable custom roles in UI
Context
- Spec:
specs/sso-org-management/spec.md - Plan:
specs/sso-org-management/plan.md - Current org UI implementation is complete with default roles
Priority
Medium - Can ship with default roles, custom roles are an enhancement