- Source: GL_User, GL_GroupAccessToken, GL_ProjectAccessToken
- Destination: GL_InstanceRole, GL_GroupRole, GL_ProjectRole
| Property | Type | Description |
|---|---|---|
| expires_at | datetime | Date when the role assignment expires; never if the no expiry is defined. |
The traversable GL_HasRole edge is the primary RBAC assignment edge in the graph. It has several distinct forms:
User → InstanceRole — A user is assigned the instance-level role based on their is_admin and external flags. Admins receive GL_HasRole to the Administrator role. Internal users receive Member. External users receive External.
User → GroupRole — A user is a direct member of the group at the specified access level. Created from the group membership API.
User → ProjectRole — A user has a direct project membership (as opposed to inherited group membership). Created from the project membership API.
GL_GroupAccessToken → GL_GroupRole — A group access token is assigned a role in the group. The token authenticates as a bot user with the specified access level.
GL_ProjectAccessToken → GL_ProjectRole — A project access token is assigned a role in the project. The token authenticates as a bot user with the specified access level.
graph LR
user("fa:fa-user GL_User alice")
admin("fa:fa-user-tie GL_InstanceRole Administrator")
grole("fa:fa-user-tie GL_GroupRole myorg/Developer")
prole("fa:fa-user-tie GL_ProjectRole myproject/Maintainer")
projTok("fa:fa-key GL_ProjectAccessToken deploy-token")
user -->|GL_HasRole| admin
user -->|GL_HasRole| grole
user -->|GL_HasRole| prole
projTok -->|GL_HasRole| prole