Skip to content

RBAC

Monozu Cloud uses group-based RBAC. Every user belongs to one or more groups; each group has a set of permissions drawn from a central catalog. The backend enforces these permissions on every protected endpoint.

Model

Section titled “Model”
graph LR
    User --> Group1["Group (e.g. IT Admin)"]
    User --> Group2["Group (e.g. Security Analyst)"]
    Group1 --> P1["incidents:read"]
    Group1 --> P2["incidents:create"]
    Group1 --> P3["assets:read"]
    Group2 --> P4["security:read"]
    Group2 --> P5["incidents:read"]
    Group2 --> P6["vulnerabilities:read"]

A user’s effective permission set is the union of all permissions from all their groups. Permissions are checked before the domain handler runs.

Permission catalog

Section titled “Permission catalog”

All available permissions are defined in Backend/internal/rbac/catalog.go. They follow the pattern <resource>:<action>:

CMDB / Assets

  • assets:read, assets:create, assets:update, assets:delete
  • sites:read, sites:create, sites:update, sites:delete
  • vendors:read, vendors:create, vendors:update, vendors:delete

ITSM

  • incidents:read, incidents:create, incidents:update, incidents:delete
  • problems:read, problems:create, problems:update, problems:delete
  • changes:read, changes:create, changes:update, changes:delete
  • service-requests:read, service-requests:create, service-requests:update
  • releases:read, releases:create, releases:update
  • maintenance:read, maintenance:create, maintenance:update

Knowledge

  • knowledge:read, knowledge:create, knowledge:update, knowledge:delete
  • diagrams:read, diagrams:create, diagrams:update, diagrams:delete

Security (optional module)

  • security:read, security:manage
  • compliance:read, compliance:manage
  • vulnerabilities:read, vulnerabilities:manage

VPN (optional module)

  • vpn:read, vpn:manage

Backup (optional module)

  • backup:read, backup:manage

Settings

  • settings:read, settings:manage
  • users:read, users:invite, users:manage
  • rbac:read, rbac:manage
  • audit:read

Consult Backend/internal/rbac/catalog.go for the authoritative and up-to-date list.

Backend enforcement

Section titled “Backend enforcement”

The RequirePermission middleware is applied at route registration time in Backend/internal/app/register_*.go:

// Example (illustrative — not actual code)
incidents.Get("/", RequirePermission("incidents:read"), handler.ListIncidents)
incidents.Post("/", RequirePermission("incidents:create"), handler.CreateIncident)

The middleware:

  1. Extracts the user ID from the validated JWT
  2. Loads the user’s groups from the database (or a short-lived cache)
  3. Resolves the union of group permissions
  4. Returns 403 Forbidden if the required permission is not present

Frontend enforcement

Section titled “Frontend enforcement”

The frontend hides navigation items and routes based on the user’s permissions. The user object returned from GET /api/v1/me includes the resolved permission set. React components and route guards check this set before rendering protected UI.

Key files:

  • Frontend/src/components/Sidebar.tsx — hides nav items by permission
  • Frontend/src/routes/ProtectedRoute.tsx — redirects to /403 if permission missing
  • Frontend/lib/stores/authStore.ts — stores user + permissions in Zustand

Group management

Section titled “Group management”

Tenant administrators manage groups and assign permissions in Settings → Groups. The available permissions shown in the settings UI come from the backend catalog endpoint GET /api/v1/settings/rbac/permissions.