Bilko RBAC -- Users / Roles / Permissions

Overview

Bilko uses a flat RBAC model: users have one role per organisation; roles map to a permission catalog via a DB seed table. Permission resolution is live from the database on every request (no JWT role claim for authorisation). The system was built in WP1 (MC #103141, branch feat/rbac-wp1-permissions-catalog).

Roles

Role	Level	Scope
`owner`	3	All permissions including billing, account deletion, user management
`admin`	2	All permissions except billing and account deletion; can manage users and roles
`accountant`	1	Create and manage financial records; cannot delete; cannot manage users
`viewer`	0	Read-only access; default for newly JIT-provisioned Entra users

Roles are stored in users.role (VARCHAR 50) with a CHECK constraint added in V67 limiting values to these four. Single role per user per organisation (multi-role/multi-org deferred, MC #103089).

Permissions Catalog (V67 — 52 keys)

Source: apps/api/src/main/resources/db/migration/V67__rbac_permissions_catalog.sql (commit 66629bd). The catalog is stored in the permissions table; all application code references permission keys as string constants.

Format: <resource>:<verb> enforced by a DB CHECK constraint (permission_key_format). Example keys by resource group:

Resource group	Example keys
Invoices	`invoice:read`, `invoice:create`, `invoice:update`, `invoice:delete`, `invoice:submit`
Expenses	`expense:read`, `expense:create`, `expense:update`, `expense:delete`
Contacts	`contact:read`, `contact:create`, `contact:update`, `contact:delete`
Transactions	`transaction:read`, `transaction:create`, `transaction:reconcile`
Reports	`report:read`, `report:export`
Settings / billing	`settings:read`, `settings:update`, `billing:read`, `billing:update`
Users	`users:read`, `users:manage`, `users:invite`
Account admin	`account:delete`
Documents	`document:read`, `document:upload`, `document:delete`
Articles / products	`article:read`, `article:create`, `article:update`, `article:delete`

Full 52-key baseline stored in: apps/api/src/main/resources/rbac/requireRole-baseline-v67.tsv (commit 0bf18fd, 51 data rows).

Role-to-Permission Seed (Strategy A — Flat Inheritance)

Source: role_permissions table seeded in V67. Each row: (role, permission_key). No runtime inheritance logic — the seed embeds the full flattened set for each role.

Role	Permissions count	Principle
viewer	13	Read-only: all :read + :export keys
accountant	40	viewer permissions + create/update on financial resources; no delete, no user management
admin	49	accountant permissions + delete + user management; no billing:update, no account:delete
owner	52	All 52 permissions (complete set)

The seed exactly reproduces the behaviour of the legacy requireRole() numeric hierarchy — verified by 204 RbacMatrixTest cases (0 failures). No behaviour regression.

PermissionService — Live DB Resolution

Source: apps/api/src/main/kotlin/no/alai/bilko/services/PermissionService.kt (commit dee4fb1)

Interface method: fun resolve(role: String): Set<String> (2 implementations: interface + DbPermissionService)
Live DB query against role_permissions on every resolve call
Fail-closed: if role is unknown or DB returns empty set, resolves to emptySet() — no permissions granted
CEO OCD O1 decision: global per-role cache (4 known values); result cached per role string key. Per CEO spec, cache keyed userId+role-version was the ideal; current implementation uses global per-role cache (simpler, advisory gap noted in Proveo verdict)

BilkoPrincipal + requirePermission

Source: apps/api/src/main/kotlin/no/alai/bilko/auth/BilkoPrincipal.kt and RbacHelper.kt (commit dee4fb1)

BilkoPrincipal carries permissions: Set<String> — resolved at authentication time via PermissionService
RoutingContext.requirePermission(permissionKey: String) — Kotlin extension function; throws ForbiddenException (HTTP 403 BILKO-AUTH-003) if key not in principal's permission set; calls AuthzAuditLogger
All 51 formerly-requireRole() call sites migrated to requirePermission() (17 route files, 0 residual requireRole in routes — verified by grep)
requireRole() is kept as a thin compatibility shim (RbacHelper.kt)

Role-to-Permission Matrix

Permission key	viewer	accountant	admin	owner
`invoice:read`	Y	Y	Y	Y
`invoice:create`	-	Y	Y	Y
`invoice:update`	-	Y	Y	Y
`invoice:delete`	-	-	Y	Y
`invoice:submit`	-	Y	Y	Y
`expense:read`	Y	Y	Y	Y
`expense:create`	-	Y	Y	Y
`expense:delete`	-	-	Y	Y
`users:read`	Y	Y	Y	Y
`users:manage`	-	-	Y	Y
`users:invite`	-	-	Y	Y
`billing:read`	-	-	-	Y
`billing:update`	-	-	-	Y
`account:delete`	-	-	-	Y
`settings:read`	Y	Y	Y	Y
`settings:update`	-	-	Y	Y
`report:read`	Y	Y	Y	Y
`report:export`	Y	Y	Y	Y
... (52 total)	Full catalog in V67 seed

Full read-only matrix visible to admins/owners in the web admin UI at /admin/users (component: lib/permissions.ts ROLE_PERMISSION_MATRIX).

Authorization Audit Log

Source: apps/api/src/main/kotlin/no/alai/bilko/auth/AuthzAuditLogger.kt (commit dee4fb1)

Every requirePermission() call logs an authz_decision event (SLF4J structured log)
Log fields: userId, orgId, permissionKey, granted (boolean), route
RbacHelper.kt references AuthzAuditLogger at 4 call sites (verified)

V67/V68 Migration Summary

Migration	Contents
V67 (`V67__rbac_permissions_catalog.sql`)	Creates `permissions` table (52 keys, format CHECK); `role_permissions` table with full 4-role seed; adds `users.role` CHECK constraint; GRANT SELECT to bilko_app; no RLS (global catalog)
V68 (`V68__rbac_user_provisioning.sql`)	Adds `users:manage` and `users:invite` permission keys; SECURITY DEFINER function `bilko_auth.provision_user_with_org(issuer, oid, email, fullName)` returning new user UUID; seeds new permissions to admin + owner roles

Test Coverage

204 RbacMatrixTest cases (all 51 call sites x 4 roles): 0 failures — feat/rbac-wp1-permissions-catalog
8 UserProvisioningWp2Test cases (T1–T8: JIT, admin CRUD, role guards, self-escalation block): PASS
Total test suite: 2534 tests (1070 unit + 1283 integration + 181 web), 0 failures — WP5 E2E evidence /tmp/evidence-103145

Out of Scope (v1)

Multi-role per user (single role per org; MC #103089)
Multi-org membership (single org per user; MC #103089)
ABAC / conditional permissions (e.g. "delete only own drafts")
Accountant Portal multi-tier permissions (Collaborator/Approver roles from ACCOUNTANT-PORTAL-SPEC.md §2.2)

Pages & Routing

State Management

Frontend — Status & Architecture

Component Inventory

Design System

Forms & Validation

Figma Validation Report (2026-02-21)

High-Level Design (HLD)

Low-Level Design (LLD)

Validation Report

Bilko — Project Handbook

Pipeline Gate Tracker

ADR-022 — Document Archive Strategy

SPEC-022 — Document Archive Implementation

COMPLIANCE-022 — Archive Review (HIPAA/GDPR/CQC)

HR eRačun — Architecture Decision Record (ADR) + Build Plan

Backend — Target Architecture

Database — Schema & Models

API Reference

Database Schema

Authentication & Authorization

Business Logic

Middleware Stack

External Services Integration

API Coverage Report

Bilko Authentication -- Entra External ID (CIAM)

Bilko RBAC -- Users / Roles / Permissions

Bilko Auth Migration Runbook + Admin Guide

ADR-037 -- Entra Authenticates, Bilko Authorises; Single-Role v1; Multi-Org Deferred

Bilko Self-Serve Trial — CIAM Architecture and Auth Pattern (MC #103232)

Bilko Self-Serve Trial — CIAM Architecture and Auth Pattern (MC #103232)

Test Plan

Testing Guide

Test Inventory

Deployment Guide

CI/CD Pipeline

Environment Configuration

Bilko Stage Environment — Cloud SQL & IAM (Phase 1)

Bilko Stage Environment — Cloud Run Services (Phase 2)

Bilko demo — receipt upload/download fix (GCS shared storage) — MC #103095 (2026-06-07)

Bilko Azure Observability + MS for Startups Credit Setup (2026-06-15)

Bilko ACA Telemetry & Observability Wiring (Azure)

Serbia — Regulatory Summary

Bosnia — Regulatory Summary

Croatia — Regulatory Summary

Multi-Region Overview

Chart of Accounts (All Countries)

Serbia — SEF e-Invoicing

Bosnia — PDV System

Croatia — eRačun & HR-FISK

Bilko HR eRačun — sveRačun (PostLink) Integration & Status Model

Bilko B5 — Per-Line VAT Exemption Classification (MC #103593, 2026-06-15)

Security Architecture

GDPR & Compliance

Bilko CIAM abuse-gate fix — checkBefore moved outside SERIALIZABLE tx (MC #104069, root-cause of #103245)

Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4))

Bilko Privacy Notice (with Document Archive Sub-Processors §8.1)

DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature

Sub-Processor Notification Email Template (Bilko)

Bilko RBAC -- Users / Roles / Permissions

Overview

Roles

Permissions Catalog (V67 — 52 keys)

Role-to-Permission Seed (Strategy A — Flat Inheritance)

PermissionService — Live DB Resolution

BilkoPrincipal + requirePermission

Role-to-Permission Matrix

Authorization Audit Log

V67/V68 Migration Summary

Test Coverage

Out of Scope (v1)