Guide

Configuring RBAC Roles and Scoped Grants

2 min read

Get the document

Tell us where to send it. The PDF lands in your inbox in under a minute.

About

About this guide

Build least-privilege roles from the entity-by-action matrix, grant them at global, company, or project scope, and let time-bound access lapse on schedule.

This guide shows you how to compose a least-privilege custom role in PMAP from the matrix of 10 entity types by 6 actions, which gives 60 possible permission pairs. You will grant that role to a user at global, company, or project scope, and see why a project-scoped grant never opens the owning company. The guide traces a grant from save to enforced query, through scope resolution, the scope cache, and the downstream repository filter.

Configuring RBAC Roles and Scoped Grants
Access Management: the role card grid on the Roles and Permissions tab, each card showing its coverage out of 60.

It is written for platform administrators and compliance owners responsible for access governance. By the end you will be able to set a time-bound grant that auto-revokes at its deadline, inspect a user’s effective permissions as the union across all their grants, and confirm that the scope cache, audit trail, and platform_admin gate make every decision scope-enforced and reconstructable.

Inside this guide

  • Read the permission catalog and plan least privilege as entity-action pairs.
  • Create a custom role from the matrix and choose the right scope for a grant.
  • Assign a company-scoped or project-scoped grant and set a time-bound grant with expiry.
  • Inspect a user’s effective permissions for a clean compliance answer.
  • Update a role and watch caches purge, then revoke a grant and confirm immediate effect.
  • Assign access to many users at once and wire approver resolution for sensitive flows.
  • Audit the access trail and rehearse a full access review.

Before you start

  • A PMAP account holding the platform_admin system role, because the admin route group is gated by RequireRole(platform_admin) and returns HTTP 403 to anyone else.
  • A clear picture of who needs to do what, so you can encode least privilege rather than copying a broad role.
  • The target users already provisioned, since a grant references an existing user_id.
  • The companies or projects you intend to scope to, so the scope_id you pass resolves to a real tenant or engagement.
  • Your organization’s policy on time-bound access, so you know which grants carry an expires_at and which are permanent.
  • A second platform administrator or compliance reviewer available, so you can rehearse the access-review handoff.

All resources

Keep exploring

Related resources

See it live

Ready to see PMAP in action?

Talk to our team or jump straight into a guided tour of the platform.

We use your email only to set up your guided tour. No marketing drip, no third-party tracking.