← Foundations

Foundation 04

Connect each user to a tenant and a role

Memberships answer where someone has access. Roles collect the exact operations they may perform in that tenant.

Membership
UserProfileTenantRolePermission
Authentication, product identity, organization, and access remain separate.

Derive common permissions from the model

Public model operations contribute permission names. Sync the catalogue after migration, then seed or assign roles with the permissions your app needs.

  • items.read covers list and get.
  • items.create, items.update, and items.delete stay separate.
  • Custom methods can add names such as articles.publish.
seed-access.ts
typescript
await syncPermissionCatalog(getSmrtConfig('Permission'));

const roles = await RoleCollection.create(getSmrtConfig('Role'));
await roles.seedSystemRoles({ seedPermissions: true });

Enforce the same decision at every entry point

Generated routes are authentication-gated and tenant-scoped. Custom SvelteKit actions, jobs, and in-process writes must also check the principal permission snapshot. Postgres applications can add row-level security as another enforcement layer.