Eco Manager Wiki

Appearance

10 — Permissions and Governance

The Admin Console controls model behavior for the whole application. Its permissions must be stricter than ordinary runtime CRUD.

Permission Categories

Model Administration

text
model.read
model.create_draft
model.edit_draft
model.validate
model.publish
model.archive
model.audit.read

Metadata-Specific Permissions

text
model.entity_type.create
model.entity_type.update
model.entity_type.delete
model.property_definition.create
model.property_definition.update
model.property_definition.delete
model.relationship_definition.create
model.relationship_definition.update
model.relationship_definition.delete
model.template.create
model.template.update
model.template.delete

Runtime Entity Permissions

text
entity.read
entity.create
entity.update
entity.delete
entity.restore
entity.purge
entity.move
entity.relationship.create
entity.relationship.delete
entity.property.update
entity.tag.update

Root Entity Scope

Users may be scoped to one or more root entities.

Runtime actions should require that the target entity is inside at least one allowed root tree.

Conceptually:

text
target.path <@ allowedRoot.path

This applies to:

  • entity reads,
  • entity writes,
  • property updates,
  • tag assignments,
  • relationship changes,
  • secret metadata,
  • secret reveal/copy,
  • remote sessions,
  • audit queries.

Model Admin Scope

Model administration may be global or tenant-scoped.

Global Model

A global model applies to the entire app.

Suitable when:

  • one organization controls the platform,
  • all tenants share the same schema,
  • model changes are developer/operator-owned.

Tenant Model

A tenant model allows each tenant/root to customize entity types and properties.

Suitable when:

  • tenants need different models,
  • customization is a product feature,
  • isolation and governance are mature.

Recommended Alpha approach:

text
Global model first.
Tenant-specific model overrides later if required.

Audit Events

Every model change should write audit events.

Examples:

text
model.draft.created
model.entity_type.created
model.property_definition.updated
model.relationship_definition.deleted
model.validation.completed
model.published
model.publish.failed

Audit payload should include:

  • actor,
  • model version,
  • target metadata id,
  • previous value if appropriate,
  • new value if appropriate,
  • timestamp,
  • request id.

Approval Workflow

For a small team, do not overbuild approval workflows initially.

Recommended Alpha:

  • users with model.publish can publish,
  • destructive changes require explicit confirmation,
  • all publishes are audited.

Future:

  • two-person approval,
  • change request review,
  • environment promotion,
  • scheduled publishing,
  • tenant-specific approvals.

Security Rule

Do not allow metadata configuration to bypass security-sensitive application code.

Examples:

  • metadata can define a secret reference property,
  • metadata cannot reveal the secret,
  • metadata can define a remote connection method,
  • metadata cannot start a remote session without remote session service authorization.