Foundation 04
Connect each user to a tenant and a role
Memberships answer where someone has access. Roles collect the exact operations they may perform in that tenant.
Membership
UserProfileTenantRolePermission
Derive common permissions from the model
Public model operations contribute permission names. Sync the catalogue after migration, then seed or assign roles with the permissions your app needs.
- items.read covers list and get.
- items.create, items.update, and items.delete stay separate.
- Custom methods can add names such as articles.publish.
seed-access.ts
typescript
await syncPermissionCatalog(getSmrtConfig('Permission'));
const roles = await RoleCollection.create(getSmrtConfig('Role'));
await roles.seedSystemRoles({ seedPermissions: true });Enforce the same decision at every entry point
Generated routes are authentication-gated and tenant-scoped. Custom SvelteKit actions, jobs, and in-process writes must also check the principal permission snapshot. Postgres applications can add row-level security as another enforcement layer.