Roles and RBAC
Shoehorn uses role-based access control (RBAC) powered by Cerbos to manage permissions. Roles determine what users can see and do in the platform.
Role Hierarchy
Section titled “Role Hierarchy”Tenant-Level Roles
Section titled “Tenant-Level Roles”| Role | Description |
|---|---|
tenant:admin | Full access to everything in the tenant |
tenant:viewer | Read-only access to all resources |
Resource-Specific Roles
Section titled “Resource-Specific Roles”| Role | Permissions |
|---|---|
| Entity | |
entity:viewer | View and list entities |
entity:editor | Create and update entities |
entity:admin | Delete entities |
| Workflow | |
workflow:viewer | View and list workflows |
workflow:executor | Create, execute, cancel own runs, retry own runs |
workflow:admin | Delete workflows, cancel/retry any run |
| Mold (Template) | |
mold:viewer | View and list molds |
mold:editor | Create and update own molds |
mold:publisher | Publish molds |
mold:admin | Delete molds |
| Operations | |
operations:viewer | View workloads and services |
operations:operator | Update operations resources |
operations:admin | Delete operations resources |
| Admin | |
admin:viewer | View audit logs and analytics |
admin:operator | Manage users, integrations, dashboards |
| Marketplace | |
marketplace:viewer | Browse marketplace |
marketplace:editor | Install and configure items |
Role Inheritance
Section titled “Role Inheritance”Higher roles include all permissions of lower roles:
entity:admin -> entity:editor -> entity:viewerworkflow:admin -> workflow:executor -> workflow:viewermold:admin -> mold:publisher -> mold:editor -> mold:viewertenant:admin -> all resource rolesAssigning Roles
Section titled “Assigning Roles”Via the UI
Section titled “Via the UI”- Navigate to Admin > Users
- Select a user
- Click Add Role
- Select the role
- Click Save
Via the API
Section titled “Via the API”# Add a role to a usercurl -X POST https://shoehorn.example.com/api/v1/admin/users/<user-id>/roles \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"role": "entity:editor"}'
# Remove a role from a usercurl -X DELETE https://shoehorn.example.com/api/v1/admin/users/<user-id>/roles \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"role": "entity:editor"}'Listing Role Assignments
Section titled “Listing Role Assignments”curl https://shoehorn.example.com/api/v1/admin/roles \ -H "Authorization: Bearer <token>"Returns all role assignments with user details.
Ownership-Based Access
Section titled “Ownership-Based Access”Some operations are restricted by ownership:
- Workflow cancel/retry:
workflow:executorcan only cancel or retry their own runs - Mold update:
mold:editorcan only update molds they created workflow:adminandmold:admincan operate on any resource
How Authorization Works
Section titled “How Authorization Works”- User authenticates (OIDC session or API key)
- Middleware extracts user roles from the database
- For each request, Cerbos evaluates:
- User’s roles
- Target resource type and ID
- Requested action
- Tenant isolation (user’s tenant must match resource’s tenant)
- Access is granted or denied
Authorization for API Keys
Section titled “Authorization for API Keys”API keys use scope-based authorization instead of roles. See API Keys.
Fail-Closed Security
Section titled “Fail-Closed Security”If a user has no roles assigned, all requests return 403 Forbidden. There are no implicit permissions.
RBAC Audit
Section titled “RBAC Audit”When RBAC_AUDIT_ENABLED=true, all role changes are logged:
- Role assignments and removals
- Who made the change
- Timestamp
- Affected user
View audit logs in Admin > Audit Log.