Access Control
PIP provides a flat, namespace-based RBAC system. Every protected action in the Pcampus ecosystem is represented as a permission string. Products check permissions via a single fast API call.
Permission format
{namespace}.{resource}.{action}Examples:
console.users.read
console.orgs.write
cockpit.access
content-os.calendar.writeBuilt-in permissions
PIP seeds these on startup:
console.*
| Permission | Description |
|---|---|
console.users.read | View user list |
console.users.write | Edit user profiles |
console.orgs.read | View organizations |
console.orgs.write | Create / edit organizations |
console.permissions.read | View role assignments |
console.permissions.write | Assign / revoke roles |
console.apps.read | View registered applications |
console.apps.write | Create / edit applications |
Product access gates
| Permission | Description |
|---|---|
cockpit.access | Can user open Cockpit at all |
content-os.access | Can user open Content OS at all |
Product teams register granular permissions for their own namespaces.
Check a permission
This is the single endpoint every service calls to authorize an action. Target: < 50 ms p99.
POST /access/check
Authorization: Bearer <token>
Content-Type: application/json
{
"userId": "usr_xxxx",
"permission": "console.users.read",
"context": { "orgId": "org_xxxx" }
}Response:
{ "allowed": true }Roles
Roles bundle permissions. Built-in roles:
| Role | Permissions |
|---|---|
console.admin | All console.* |
console.viewer | console.*.read |
pip.org.owner | All organization.* |
pip.org.member | organization.*.read |
Create a role
POST /access/roles
Authorization: Bearer <token>
Content-Type: application/json
{
"name": "content-editor",
"permissions": ["content-os.access", "content-os.calendar.write"]
}Assign a role to a user
POST /access/assignments
Authorization: Bearer <token>
Content-Type: application/json
{
"userId": "usr_xxxx",
"roleId": "role_xxxx",
"context": { "orgId": "org_xxxx" }
}List a user's roles
GET /identity/users/:userId/assignments
Authorization: Bearer <token>Register your own namespace
POST /access/permissions
Authorization: Bearer <token>
Content-Type: application/json
{
"namespace": "my-product",
"permissions": [
{ "key": "my-product.reports.read", "description": "View reports" },
{ "key": "my-product.reports.write", "description": "Create reports" }
]
}