Skip to main content

Configure Roles and Permissions

CRAFT uses OpenFGA for Relationship-Based Access Control (ReBAC). This guide covers setting up roles, assigning permissions, and configuring the permission inheritance model across organizations, projects, and resources.

Prerequisites

Before you begin, ensure you have:
  • A running CRAFT with the Governance service bootstrapped
  • Administrative access (the admin or owner role on the target organization)
  • A valid JWT token for the admin user
  • The OpenFGA schema loaded during Governance bootstrap

How Permissions Work

The platform uses a relationship-based model rather than traditional role-based access control. Permissions are computed at query time from relationships between users, roles, and resources.

Role Hierarchy

RoleScopeCapabilities
ownerOrganizationFull control, can transfer ownership, manage all settings
adminOrganization / ProjectManage users, projects, settings. Cannot transfer organization ownership
memberProjectStandard access to project resources
developerProjectCreate and modify agents, data connections, workflows
operatorProjectDeploy, schedule, and monitor resources
viewerProjectRead-only access to all resources

Computed Permissions

Permissions are derived from roles via the OpenFGA schema:
Permissionowneradminmemberdeveloperoperatorviewer
can_readYesYesYesYesYesYes
can_writeYesYesYesYesNoNo
can_deleteYesYesNoNoNoNo
can_executeYesYesYesYesYesNo
can_manage_secretsYesYesNoNoNoNo

Step 1: Understand the OpenFGA Schema

The permission model is defined in the OpenFGA Schema DSL. Key type definitions used by the platform:

Step 2: Grant a role on a resource

The Governance API exposes a single grant endpoint that is used for every role-on-resource combination — there is no separate “add organization member” or “add project member” endpoint. A “role assignment” is a tuple (user_or_group, relation, resource_type:resource_id) written to the OpenFGA store via POST /governance/permissions/grant.
Response (200 OK):
The same endpoint also assigns project-scoped roles — change resource_type to project and resource_id to the project UUID:
Same shape for any resource type: artifact, data_connection, secret, etc. The relation must be one of the role names defined on that resource type in the OpenFGA schema (Step 1).

Permission Inheritance

Roles inherit downward through the hierarchy because the OpenFGA schema expresses each role on a child as derivable from its parent:
1

Organization owner

Automatically has admin-level permissions on all projects and resources within the organization.
2

Organization admin

Automatically has admin-level permissions on all projects. Can create and delete projects.
3

Project developer

Has can_read, can_write, and can_execute on all resources within the specific project. Cannot delete resources or manage secrets.
4

Project viewer

Has can_read only. Cannot modify, execute, or delete any resource.
When you create a child resource (e.g. an artifact within a project), register the parent relationship so inheritance applies:

Step 3: Check or list permissions

Two read endpoints answer the common questions:
Response (200 OK): the response body for an allowed call is null (absence of a 403 body means the action is permitted). A denied check returns 403 Forbidden.
Response (200 OK):
Each entry is <resource_type>:<resource_id>, with resource_id echoing the canonical resource_uri for agent / data_connection / artifact resources.

Step 4: Revoke a role

POST /governance/permissions/revoke mirrors grant:
Response (200 OK):
To delete every permission tuple for a resource (e.g. before deleting the resource itself), use POST /governance/permissions/delete-all:
Response includes deleted_count so you can confirm the sweep.

Common Permission Patterns

Assign viewer on the project containing data connections and dashboards. Users can run queries via Data Insights but cannot modify data connections or agent configurations.
Assign operator on the target project. Operators can deploy agents, trigger schedules, and monitor health, but cannot modify agent code or data connection credentials.
Create Keycloak client credentials and assign developer or operator on the target project. Service accounts authenticate via client credentials grant and have the same permission model as human users.
A user can have different roles on different projects within the same organization. Assign roles per project to implement least-privilege access.

Integration with SSO Groups

When SSO is configured, IdP groups map through Keycloak to OpenFGA:
This pipeline automates role assignment when users are provisioned via SSO. See the SSO Integration guide for configuring the IdP side.

Troubleshooting

Verify the OpenFGA schema is loaded by checking Governance bootstrap logs. Ensure the user’s JWT contains the correct groups claim. Confirm the user has been assigned a role on the target project.
Check that the project has a parent relationship to the organization in OpenFGA. This is set automatically when projects are created via the Governance API.
OpenFGA evaluates permissions at query time — there is no caching delay. If changes are not reflected, verify the role assignment was successful by listing members on the project.

Next Steps

SSO Integration

Configure SSO to automate group-to-role mapping from your IdP.

Authorization Deep Dive

Learn about the full OpenFGA schema and computed permissions model.

Multi-Tenancy

Understand how permissions integrate with the multi-tenant architecture.

Security Overview

Review the complete security model including authentication and data protection.