Skip to content

GL_InstanceRole.md

Latest commit

 

History

History
52 lines (41 loc) · 2.49 KB

GL_InstanceRole.md

File metadata and controls

52 lines (41 loc) · 2.49 KB

GL_InstanceRole

Represents an instance-level permission role. Four synthetic GL_InstanceRole nodes are always created: Unauthenticated, External, Member, and Administrator. These nodes model instance-wide authentication and authorization tiers and serve as the root of the RBAC graph. Real users receive a GL_HasRole edge to whichever role applies to them. Permissions that vary by instance configuration (sign-up, public access to repositories, etc.) are modeled as capability edges originating from these role nodes.

Properties

Property Name Data Type Description
name string Human-readable role name: Unauthenticated, External, Member, or Administrator
short_name string Short identifier used in Cypher queries: noauth, external, member, or admin
description string Description of the user population represented by this role
query_assignment string Cypher query that returns all users holding this role (stored on Member, External, and Admin nodes)

Role Hierarchy

The four roles form a strict inheritance chain via GL_HasBaseRole edges:

Administrator → Member → External → Unauthenticated

This means Administrator subsumes all Member permissions, Member subsumes all External permissions, and so on.

Diagram

flowchart TD
    GL_User[fa:fa-user GL_User]
    GL_GroupRole[fa:fa-user-tie GL_GroupRole]
    GL_ProjectRole[fa:fa-user-tie GL_ProjectRole]
    GL_Instance[fa:fa-building GL_Instance]
    GL_Repository[fa:fa-box-archive GL_Repository]
    GL_Project[fa:fa-diagram-project GL_Project]
    Secret[fa:fa-key Secret]
    GL_InstanceRole[fa:fa-user-tie GL_InstanceRole]
    GL_Group[fa:fa-user-group GL_Group]

    GL_User -->|GL_HasRole| GL_InstanceRole
    GL_InstanceRole -->|GL_HasBaseRole| GL_InstanceRole
    GL_InstanceRole -->|GL_HasBaseRole| GL_GroupRole
    GL_InstanceRole -->|GL_HasBaseRole| GL_ProjectRole
    GL_InstanceRole -.->|GL_CanSignUp| GL_Instance
    GL_InstanceRole -.->|GL_CanCreateGroup| GL_Instance
    GL_InstanceRole -.->|GL_CanCreateProject| GL_Instance
    GL_InstanceRole -.->|GL_CanRequestAccess| GL_Group
    GL_InstanceRole -.->|GL_CanPull| GL_Repository
    GL_InstanceRole -.->|GL_DownloadJobArtifacts| GL_Project
    GL_InstanceRole -.->|GL_ViewJobLogs| GL_Project
    GL_InstanceRole -->|GL_CanReadSecret| Secret
    GL_InstanceRole -->|GL_RenovateInviteAndTakeover| GL_User
Loading