Authorization Model⚓︎
This document defines the technical authorization model used by DMS. It is intended for architecture and implementation work. For the product-level view of role capabilities, see Permissions.
Permission Keys⚓︎
DMS uses additive permissions within a Topic. A user's effective capability is the sum of the permissions granted by their assigned role.
Naming Convention⚓︎
entity.action
Examples:
topic.edittopic.assign_rolechoice.adddecision.makereview.add
Permission Reference⚓︎
Permissions are grouped by the part of the Topic they control.
| Permission | Capability |
|---|---|
topic.read |
View the Topic and nested records |
topic.edit |
Modify Topic metadata such as title, context, and tags |
topic.archive |
Move a Topic into an inactive state |
topic.reopen |
Restore a Topic to active work |
topic.assign_role |
Manage Topic roles |
| Permission | Capability |
|---|---|
choice.add |
Propose a Choice |
choice.remove |
Retract a proposed Choice by soft-delete policy |
choice.status.change |
Mark a Choice as dismissed, deferred, or preferred |
reason.add |
Attach a Reason to a Choice |
| Permission | Capability |
|---|---|
decision.make |
Make a Decision, record the Expectation, and move the Topic into Waiting |
| Permission | Capability |
|---|---|
review.add |
Record review material after execution |
lesson.add |
Add a Lesson to the Topic record |
note.add |
Add a contextual note |
Role Mapping⚓︎
Role groups are technical bundles mapped to the semantic roles defined in Roles.
| Permission | Owner | Advisor | Reviewer | Observer |
|---|---|---|---|---|
topic.read |
||||
topic.edit |
||||
topic.archive |
||||
topic.reopen |
||||
topic.assign_role |
||||
choice.add |
||||
choice.remove |
||||
choice.status.change |
||||
reason.add |
||||
decision.make |
||||
review.add |
||||
lesson.add |
||||
note.add |
Evaluation Rules⚓︎
Authorization logic follows these rules:
- Topic isolation: Permissions are scoped to a single Topic. There are no global domain permissions.
- Role gateway: A Topic role assignment is the entry point for
topic.readand other scoped capabilities. - Policy composition: Permission checks must be evaluated alongside visibility, scope, and sensitive-content rules.
- Immutability: No permission allows silent deletion of authored decision memory.