Platform
Identity Platform
Access Control

Access Control

PIP provides a flat, namespace-based RBAC system. Every protected action in the Pcampus ecosystem is represented as a permission string. Products check permissions via a single fast API call.

Permission format

{namespace}.{resource}.{action}

Examples:

console.users.read
console.orgs.write
cockpit.access
content-os.calendar.write

Built-in permissions

PIP seeds these on startup:

console.*

PermissionDescription
console.users.readView user list
console.users.writeEdit user profiles
console.orgs.readView organizations
console.orgs.writeCreate / edit organizations
console.permissions.readView role assignments
console.permissions.writeAssign / revoke roles
console.apps.readView registered applications
console.apps.writeCreate / edit applications

Product access gates

PermissionDescription
cockpit.accessCan user open Cockpit at all
content-os.accessCan user open Content OS at all

Product teams register granular permissions for their own namespaces.

Check a permission

This is the single endpoint every service calls to authorize an action. Target: < 50 ms p99.

POST /access/check
Authorization: Bearer <token>
Content-Type: application/json
 
{
  "userId": "usr_xxxx",
  "permission": "console.users.read",
  "context": { "orgId": "org_xxxx" }
}

Response:

{ "allowed": true }

Roles

Roles bundle permissions. Built-in roles:

RolePermissions
console.adminAll console.*
console.viewerconsole.*.read
pip.org.ownerAll organization.*
pip.org.memberorganization.*.read

Create a role

POST /access/roles
Authorization: Bearer <token>
Content-Type: application/json
 
{
  "name": "content-editor",
  "permissions": ["content-os.access", "content-os.calendar.write"]
}

Assign a role to a user

POST /access/assignments
Authorization: Bearer <token>
Content-Type: application/json
 
{
  "userId": "usr_xxxx",
  "roleId": "role_xxxx",
  "context": { "orgId": "org_xxxx" }
}

List a user's roles

GET /identity/users/:userId/assignments
Authorization: Bearer <token>

Register your own namespace

POST /access/permissions
Authorization: Bearer <token>
Content-Type: application/json
 
{
  "namespace": "my-product",
  "permissions": [
    { "key": "my-product.reports.read", "description": "View reports" },
    { "key": "my-product.reports.write", "description": "Create reports" }
  ]
}

Access Control

PIP provides a flat, namespace-based RBAC system. Every protected action in the Pcampus ecosystem is represented as a permission string. Products check permissions via a single fast API call.

Permission format

{namespace}.{resource}.{action}

Examples:

console.users.read
console.orgs.write
cockpit.access
content-os.calendar.write

Built-in permissions

PIP seeds these on startup:

console.*

PermissionDescription
console.users.readView user list
console.users.writeEdit user profiles
console.orgs.readView organizations
console.orgs.writeCreate / edit organizations
console.permissions.readView role assignments
console.permissions.writeAssign / revoke roles
console.apps.readView registered applications
console.apps.writeCreate / edit applications

Product access gates

PermissionDescription
cockpit.accessCan user open Cockpit at all
content-os.accessCan user open Content OS at all

Product teams register granular permissions for their own namespaces.

Check a permission

This is the single endpoint every service calls to authorize an action. Target: < 50 ms p99.

POST /access/check
Authorization: Bearer <token>
Content-Type: application/json
 
{
  "userId": "usr_xxxx",
  "permission": "console.users.read",
  "context": { "orgId": "org_xxxx" }
}

Response:

{ "allowed": true }

Roles

Roles bundle permissions. Built-in roles:

RolePermissions
console.adminAll console.*
console.viewerconsole.*.read
pip.org.ownerAll organization.*
pip.org.memberorganization.*.read

Create a role

POST /access/roles
Authorization: Bearer <token>
Content-Type: application/json
 
{
  "name": "content-editor",
  "permissions": ["content-os.access", "content-os.calendar.write"]
}

Assign a role to a user

POST /access/assignments
Authorization: Bearer <token>
Content-Type: application/json
 
{
  "userId": "usr_xxxx",
  "roleId": "role_xxxx",
  "context": { "orgId": "org_xxxx" }
}

List a user's roles

GET /identity/users/:userId/assignments
Authorization: Bearer <token>

Register your own namespace

POST /access/permissions
Authorization: Bearer <token>
Content-Type: application/json
 
{
  "namespace": "my-product",
  "permissions": [
    { "key": "my-product.reports.read", "description": "View reports" },
    { "key": "my-product.reports.write", "description": "Create reports" }
  ]
}