Skip to main content
Learn how to effectively manage permissions and access control in Thena Platform.

Permission Types

1. Resource Permissions

Resource permissions control access to specific objects within the platform: 
{
  "resource": "ticket",
  "permissions": [
    "view",
    "create",
    "update",
    "delete",
    "assign",
    "comment"
  ]
}

2. Role-Based Permissions

Roles group permissions for common user types:
Role Definition
{
  "role": "team_lead",
  "description": "Team leader with management capabilities",
  "permissions": [
    {
      "resource": "team",
      "actions": ["view", "manage_members", "configure"],
      "scope": "assigned_teams"
    },
    {
      "resource": "ticket",
      "actions": ["view", "create", "update", "delete", "assign"],
      "scope": "team_tickets"
    }
  ]
}

3. Custom Permissions

Define custom permissions for specific needs:
Custom Permission
{
  "name": "approve_high_priority",
  "description": "Can approve high-priority tickets",
  "conditions": {
    "ticket.priority": "high",
    "user.level": "senior"
  }
}

Permission Hierarchy

Organization Level

  1. System Roles
    • Super Admin
    • Organization Admin
    • Billing Admin
  2. Custom Organization Roles
    • Department Heads
    • Regional Managers
    • Custom Roles

Team Level

  1. Default Team Roles
    • Team Lead
    • Team Member
    • Observer
  2. Custom Team Roles
    • Senior Agent
    • Junior Agent
    • Specialist

Permission Management

Creating Permissions

POST /v1/roles
{
  "name": "support_specialist",
  "description": "Specialized support role",
  "permissions": [
    {
      "resource": "ticket",
      "actions": ["view", "update", "comment"],
      "conditions": {
        "category": "technical"
      }
    }
  ]
}

Managing Permissions

  1. Direct Assignment
    • User to Role
    • User to Permission
    • Role to Permission
  2. Inheritance
    • Team Membership
    • Organization Structure
    • Role Hierarchy
  3. Temporary Access
    • Time-based grants
    • Project-based access
    • Emergency access

Access Policies

Policy Definition

Access Policy
{
  "name": "ticket_access_policy",
  "description": "Controls ticket access across teams",
  "rules": [
    {
      "effect": "allow",
      "actions": ["view", "comment"],
      "resources": ["ticket"],
      "conditions": {
        "team_id": "${user.team_id}"
      }
    },
    {
      "effect": "allow",
      "actions": ["assign", "update"],
      "resources": ["ticket"],
      "conditions": {
        "team_id": "${user.team_id}",
        "user.role": ["team_lead", "senior_agent"]
      }
    }
  ]
}

Policy Enforcement

  1. Runtime Evaluation
    • Context gathering
    • Rule matching
    • Decision making
  2. Conflict Resolution
    • Priority rules
    • Explicit denies
    • Inheritance resolution

Best Practices

1. Permission Design

  • Follow least privilege principle
  • Group related permissions
  • Use descriptive names
  • Document permissions

2. Role Management

  • Limit custom roles
  • Regular role reviews
  • Clear role hierarchy
  • Document role purposes

3. Access Control

  • Regular access audits
  • Clear revocation process
  • Emergency access procedures
  • Access logging

Common Patterns

1. Team-Based Access

Team Access Pattern
{
  "pattern": "team_based_access",
  "implementation": {
    "base_role": "team_member",
    "inheritance": true,
    "scope": "team_resources",
    "escalation": {
      "conditions": ["sla_breach", "priority_high"],
      "escalate_to": "team_lead"
    }
  }
}

2. Progressive Access

Progressive Access
{
  "pattern": "progressive_access",
  "implementation": {
    "levels": [
      {
        "name": "trainee",
        "permissions": ["view", "comment"],
        "duration": "2_weeks"
      },
      {
        "name": "junior_agent",
        "permissions": ["view", "comment", "update"],
        "requirements": ["training_complete"]
      },
      {
        "name": "senior_agent",
        "permissions": ["view", "comment", "update", "assign"],
        "requirements": ["performance_metrics", "tenure"]
      }
    ]
  }
}

Next Steps