Skip to content

Add role hierarchy and temporary assignments #55

Description

@Lakes41

Difficulty: Advanced

Type: Feature

Summary

Extend role handling so roles can have hierarchy and optional expiry timestamps. This supports time-limited contributors, elevated admins, and richer access rules.

Current Behaviour

Roles are treated as simple assignments such as member, contributor, and admin. There is no visible support for role hierarchy or temporary role assignment expiry.

Expected Behaviour

The policy engine and API should understand hierarchical roles and ignore expired role assignments when resolving effective permissions.

Suggested Implementation

Add optional expiresAt to role assignments and define role hierarchy semantics. Update resolveEffectiveRoles and policy evaluation to consider active role windows and inherited permissions.

Files or Areas Likely Affected

  • apps/access-api/prisma/schema.prisma
  • packages/policy-engine/src/index.ts
  • packages/shared-types/src/index.ts
  • apps/access-api/src/services/memberService.ts
  • packages/policy-engine/test/

Acceptance Criteria

  • Role assignments can optionally expire
  • Expired role assignments do not grant access
  • Admin can imply contributor/member permissions if hierarchy is enabled
  • Role hierarchy behaviour is documented
  • Tests cover temporary roles, expired roles, and inherited roles
  • Existing simple role checks remain backwards-compatible

Additional Notes

Keep hierarchy explicit and predictable. Do not introduce arbitrary role graphs unless maintainers approve that model.

Metadata

Metadata

Assignees

Labels

GrantFox OSSIssue tracked in GrantFox OSSMaybe RewardedIssue may be eligible for a GrantFox rewardOfficial CampaignCampaign: Official Campaign

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions