RBAC Management

The auth_service.roles manager handles all logic for creating, assigning, and checking roles and permissions. The built-in /admin router provides API endpoints for these actions.

Authorization for Management

AuthTuna uses a hybrid model for managing roles. An admin can assign a role if any of these are true:

Specific Permission: The admin has a permission like roles:assign:Moderator.
Role Hierarchy: The admin's highest role level is greater than the target role's level (e.g., Admin at level 90 can assign Moderator at level 50).
Explicit Grant: The admin's role is explicitly granted permission to assign the target role.

Default Roles & Users

When AUTO_CREATE_DATABASE is enabled, AuthTuna provisions essential roles and users for immediate administration.

system: Internal ID: system. Used for audit logging and initial role assignments. Due to its high level (999), it can be used for automated role assignments without requiring explicit grants (if the role being assigned has a level < 999).
superadmin: Default Email: settings.DEFAULT_SUPERADMIN_EMAIL. Assigned SuperAdmin role.
admin: Default Email: settings.DEFAULT_ADMIN_EMAIL. Assigned Admin role.

Role Name	Level	Key Permissions
System	999	This user is for automated tasks requiring permissions like assign-ing project owner on when creating new project or smth.
SuperAdmin	100	Full system access.
Admin	90	User and role management.
Moderator	50	Basic user management.
User	0	Standard application access.