gamma-enterprise-rbac
Gamma Enterprise RBAC
Contents
Overview
Implement enterprise-grade role-based access control for Gamma integrations with hierarchical roles, multi-tenant isolation, and audit logging.
Prerequisites
- Enterprise Gamma subscription
- Identity provider (IdP) integration
- Database for permission storage
- Understanding of RBAC concepts
Instructions
Step 1: Define Role Hierarchy
Create a role hierarchy (Viewer < Editor < Team Lead < Workspace Admin < Org Admin) with permission inheritance.
Step 2: Implement Permission Resolution
Build a service that resolves inherited permissions by walking the role hierarchy and caching the computed permission sets.
Step 3: Create Authorization Middleware
Wrap API routes with middleware that checks required permissions against the user's resolved role.
Step 4: Add Resource-Level Authorization
Implement resource-specific policies (e.g., owner can edit own, team lead can edit team presentations).
Step 5: Configure Multi-Tenant Isolation
Add tenant middleware that verifies workspace membership before allowing any workspace-scoped operations.
Step 6: Enable Audit Logging
Log all authorization decisions (granted and denied) with metrics for denied access alerts.
See detailed implementation for advanced patterns.
Output
- Role hierarchy with inherited permissions
- Authorization middleware for API routes
- Resource-level access policies
- Multi-tenant workspace isolation
- Authorization audit trail
Error Handling
| Issue | Cause | Solution |
|---|---|---|
| Permission denied | Insufficient role | Verify role assignment in database |
| Orphaned memberships | User deleted | Clean up with cascading deletes |
| Privilege escalation | Missing inheritance check | Validate role hierarchy on assignment |
Examples
Permission Matrix
| Permission | Viewer | Editor | Team Lead | Workspace Admin | Org Admin |
|---|---|---|---|---|---|
| View presentations | Yes | Yes | Yes | Yes | Yes |
| Create presentations | No | Yes | Yes | Yes | Yes |
| Edit team presentations | No | No | Yes | Yes | Yes |
| Manage workspace | No | No | No | Yes | Yes |
| Manage billing | No | No | No | No | Yes |