Back to docs
Recipe

RBAC role + permission designer

A step-by-step pattern for modeling roles, permissions, and assignments inside Meridian's access control system.

Core concepts

  • Role — a named collection of permissions (Admin, Editor, Viewer).
  • Permission — a granular action on a resource (users:read, billing:write).
  • Assignment — maps a user to one or more roles within a scope.

Permission naming convention

PatternExample
resource:actionusers:read
resource:actionbilling:write
resource:*keys:*

Default role matrix

RolePermissions
Admin*:*
Editorusers:read, keys:read, keys:write
Viewerusers:read, keys:read

Enforcement flow

  1. Resolve user's assigned roles from the identity token.
  2. Expand roles into a flat permission set.
  3. Check required permission against the set; deny if absent.
  4. Cache the expanded set for the request lifetime to avoid repeated lookups.

Next steps

Pair this recipe with the license-key provisioning guide to wire RBAC into your product's onboarding flow.