Skip to content
Axowl

Permission scopes

Internal (dashboard) authority is expressed as axowl.{resource}.{action} scopes. The catalog is seeded per platform and referenced by org roles.

Format

Section titled “Format”
axowl.{resource}.{action}
  • Resources (AxowlDataSeeder.GetInternalPermissions, also whitelisted in RoleEndpoints.cs:161): organization, application, user, billing, policy, settings, role, permission, seal, audit.
  • Actions: create, read, update, delete, manage.
  • Wildcards: axowl.{resource}.* (all actions on a resource) and axowl.* (everything).

Wildcard matching

Section titled “Wildcard matching”

A granted scope matches a required scope per IdentityServiceImpl.MatchScope (:263):

  • * matches everything.
  • x.* matches x.anything and x itself.
  • otherwise exact match (case-insensitive).

So a member holding axowl.settings.* satisfies a check for axowl.settings.update.

Levels

Section titled “Levels”

Catalog entries carry a PermissionLevel (Read, Write, Admin, Owner) used for the MembershipType projection — e.g. delete/manage are Admin, the axowl.* superset is Owner.

Preset-role grants

Section titled “Preset-role grants”
RoleHolds
ORG_OWNERaxowl.*
ORG_ADMINevery axowl.{resource}.* + axowl.billing.read (not billing.*)
ORG_MEMBERaxowl.organization.read, axowl.application.read, axowl.user.read, axowl.settings.read, axowl.audit.read