Learn how to effectively manage permissions and access control in Thena Platform.

Permission Types

1. Resource Permissions

Resource permissions control access to specific objects within the platform: 
{
  "resource": "ticket",
  "permissions": [
    "view",
    "create",
    "update",
    "delete",
    "assign",
    "comment"
  ]
}

2. Role-Based Permissions

Roles group permissions for common user types:
Role Definition
{
  "role": "team_lead",
  "description": "Team leader with management capabilities",
  "permissions": [
    {
      "resource": "team",
      "actions": ["view", "manage_members", "configure"],
      "scope": "assigned_teams"
    },
    {
      "resource": "ticket",
      "actions": ["view", "create", "update", "delete", "assign"],
      "scope": "team_tickets"
    }
  ]
}

3. Custom Permissions

Define custom permissions for specific needs:
Custom Permission
{
  "name": "approve_high_priority",
  "description": "Can approve high-priority tickets",
  "conditions": {
    "ticket.priority": "high",
    "user.level": "senior"
  }
}

Permission Hierarchy

Organization Level

  1. System Roles
    • Super Admin
    • Organization Admin
    • Billing Admin
  2. Custom Organization Roles
    • Department Heads
    • Regional Managers
    • Custom Roles

Team Level

  1. Default Team Roles
    • Team Lead
    • Team Member
    • Observer
  2. Custom Team Roles
    • Senior Agent
    • Junior Agent
    • Specialist

Permission Management

Creating Permissions

POST /v1/roles
{
  "name": "support_specialist",
  "description": "Specialized support role",
  "permissions": [
    {
      "resource": "ticket",
      "actions": ["view", "update", "comment"],
      "conditions": {
        "category": "technical"
      }
    }
  ]
}

Managing Permissions

  1. Direct Assignment
    • User to Role
    • User to Permission
    • Role to Permission
  2. Inheritance
    • Team Membership
    • Organization Structure
    • Role Hierarchy
  3. Temporary Access
    • Time-based grants
    • Project-based access
    • Emergency access

Access Policies

Policy Definition

Access Policy
{
  "name": "ticket_access_policy",
  "description": "Controls ticket access across teams",
  "rules": [
    {
      "effect": "allow",
      "actions": ["view", "comment"],
      "resources": ["ticket"],
      "conditions": {
        "team_id": "${user.team_id}"
      }
    },
    {
      "effect": "allow",
      "actions": ["assign", "update"],
      "resources": ["ticket"],
      "conditions": {
        "team_id": "${user.team_id}",
        "user.role": ["team_lead", "senior_agent"]
      }
    }
  ]
}

Policy Enforcement

  1. Runtime Evaluation
    • Context gathering
    • Rule matching
    • Decision making
  2. Conflict Resolution
    • Priority rules
    • Explicit denies
    • Inheritance resolution

Best Practices

1. Permission Design

  • Follow least privilege principle
  • Group related permissions
  • Use descriptive names
  • Document permissions

2. Role Management

  • Limit custom roles
  • Regular role reviews
  • Clear role hierarchy
  • Document role purposes

3. Access Control

  • Regular access audits
  • Clear revocation process
  • Emergency access procedures
  • Access logging

Common Patterns

1. Team-Based Access

Team Access Pattern
{
  "pattern": "team_based_access",
  "implementation": {
    "base_role": "team_member",
    "inheritance": true,
    "scope": "team_resources",
    "escalation": {
      "conditions": ["sla_breach", "priority_high"],
      "escalate_to": "team_lead"
    }
  }
}

2. Progressive Access

Progressive Access
{
  "pattern": "progressive_access",
  "implementation": {
    "levels": [
      {
        "name": "trainee",
        "permissions": ["view", "comment"],
        "duration": "2_weeks"
      },
      {
        "name": "junior_agent",
        "permissions": ["view", "comment", "update"],
        "requirements": ["training_complete"]
      },
      {
        "name": "senior_agent",
        "permissions": ["view", "comment", "update", "assign"],
        "requirements": ["performance_metrics", "tenure"]
      }
    ]
  }
}

Next Steps