Roles & Permissions

MapexOS uses Role-Based Access Control (RBAC) to enforce least-privilege access across a multi-tenant organization hierarchy.

Permissions are assigned through Roles, and Roles are applied to Users or Groups via Memberships scoped to an organization node.

Applies to v1.0.0 — Permission strings below reflect the current implementation.

Core model

Permission

A permission is a string identifier used by services to authorize an operation.

Examples:

assets.read
rules.create
events.processed.list

Role

A role is a named collection of permissions, designed to be reusable across teams.

Membership

A membership binds:

WHO: user or group
WHERE: organization (scope)
WHAT: roles/permissions
HOW FAR: local or recursive

Permission naming conventions

MapexOS permissions follow a simple pattern:

Standard resources: <resource>.<action>
- Example: assets.update
Wildcards: <resource>.*
- Example: routegroups.*
Event streams: events.<stream>.<action>
- Example: events.raw.read

Actions (typical)

Most resources expose standard CRUD actions:

list, create, read, update, delete

Wildcards

MapexOS supports hierarchical wildcards:

Wildcard	Meaning
`mapex.*`	Full platform access (all services/modules)
`<resource>.*`	Full access to a single resource

Example:

datasources.* allows all datasource operations, but does not grant access to assets or rules.

Scope and inheritance

Roles and permissions are scoped by organizations through memberships.

local applies only to the specified organization
recursive applies to the organization and all descendants (unless blocked by RolePolicy = strict)

For details on organization inheritance policies, see:

Organizations

Examples

Read-only operator (events + assets)

A common operational profile can be modeled with:

txt

assets.list
assets.read
events.processed.list
events.processed.read

Automation engineer (rules + triggers)

A profile focused on automation:

txt

rules.*
businessrules.*
triggers.*
routegroups.read
routegroups.list

Platform admin (full access)

txt

mapex.*

Permission reference (v1.0.0)

This section lists the permissions available in the current release.

Note: Events expose stream-level permissions for fine-grained access.

Platform

Permission	Description
`mapex.*`	Wildcard access for all mapex operations

Core platform

These permissions control governance objects in the MapexOS Core service.

`auth`

Permission	Description
`auth.*`	Wildcard access for all auth operations
`auth.changepassword`	CHANGEPASSWORD auth
`auth.login`	LOGIN auth
`auth.logout`	LOGOUT auth
`auth.refresh`	REFRESH auth
`auth.resetpassword`	RESETPASSWORD auth

`organizations`

Permission	Description
`organizations.*`	Wildcard access for all organizations operations
`organizations.create`	CREATE organizations
`organizations.delete`	DELETE organizations
`organizations.list`	LIST organizations
`organizations.read`	READ organizations
`organizations.update`	UPDATE organizations

`users`

Permission	Description
`users.*`	Wildcard access for all users operations
`users.create`	CREATE users
`users.delete`	DELETE users
`users.list`	LIST users
`users.read`	READ users
`users.update`	UPDATE users

`groups`

Permission	Description
`groups.*`	Wildcard access for all groups operations
`groups.create`	CREATE groups
`groups.delete`	DELETE groups
`groups.list`	LIST groups
`groups.read`	READ groups
`groups.update`	UPDATE groups

`roles`

Permission	Description
`roles.*`	Wildcard access for all roles operations
`roles.create`	CREATE roles
`roles.delete`	DELETE roles
`roles.list`	LIST roles
`roles.read`	READ roles
`roles.update`	UPDATE roles

`memberships`

Permission	Description
`memberships.*`	Wildcard access for all memberships operations
`memberships.create`	CREATE memberships
`memberships.delete`	DELETE memberships
`memberships.list`	LIST memberships
`memberships.read`	READ memberships
`memberships.update`	UPDATE memberships

`lists`

Permission	Description
`lists.*`	Wildcard access for all lists operations
`lists.create`	CREATE lists
`lists.delete`	DELETE lists
`lists.lists`	LISTS lists
`lists.read`	READ lists
`lists.update`	UPDATE lists

Ingestion & asset management

`datasources`

Permission	Description
`datasources.*`	Wildcard access for all datasources operations
`datasources.create`	CREATE datasources
`datasources.delete`	DELETE datasources
`datasources.list`	LIST datasources
`datasources.read`	READ datasources
`datasources.update`	UPDATE datasources

`assets`

Permission	Description
`assets.*`	Wildcard access for all assets operations
`assets.create`	CREATE assets
`assets.delete`	DELETE assets
`assets.list`	LIST assets
`assets.read`	READ assets
`assets.update`	UPDATE assets

`assettemplates`

Permission	Description
`assettemplates.*`	Wildcard access for all assettemplates operations
`assettemplates.create`	CREATE assettemplates
`assettemplates.delete`	DELETE assettemplates
`assettemplates.list`	LIST assettemplates
`assettemplates.read`	READ assettemplates
`assettemplates.update`	UPDATE assettemplates

Routing

`routegroups`

Permission	Description
`routegroups.*`	Wildcard access for all routegroups operations
`routegroups.create`	CREATE routegroups
`routegroups.delete`	DELETE routegroups
`routegroups.list`	LIST routegroups
`routegroups.read`	READ routegroups
`routegroups.update`	UPDATE routegroups

Automation

`rules`

Permission	Description
`rules.*`	Wildcard access for all rules operations
`rules.create`	CREATE rules
`rules.delete`	DELETE rules
`rules.list`	LIST rules
`rules.read`	READ rules
`rules.update`	UPDATE rules

`businessrules`

Permission	Description
`businessrules.*`	Wildcard access for all businessrules operations
`businessrules.create`	CREATE businessrules
`businessrules.delete`	DELETE businessrules
`businessrules.list`	LIST businessrules
`businessrules.read`	READ businessrules
`businessrules.update`	UPDATE businessrules

`triggers`

Permission	Description
`triggers.*`	Wildcard access for all triggers operations
`triggers.create`	CREATE triggers
`triggers.delete`	DELETE triggers
`triggers.list`	LIST triggers
`triggers.read`	READ triggers
`triggers.update`	UPDATE triggers

`jobs`

Permission	Description
`jobs.*`	Wildcard access for all jobs operations
`jobs.create`	CREATE jobs
`jobs.delete`	DELETE jobs
`jobs.list`	LIST jobs
`jobs.read`	READ jobs
`jobs.update`	UPDATE jobs

Events

Events permissions are organized by event stream (table) for granular access control.

Raw events (gateway ingress)

Permission	Description
`events.raw.create`	CREATE access for Raw events
`events.raw.delete`	DELETE access for Raw events
`events.raw.list`	LIST access for Raw events
`events.raw.read`	READ access for Raw events

Processed events (normalized)

Permission	Description
`events.processed.create`	CREATE access for Processed events
`events.processed.delete`	DELETE access for Processed events
`events.processed.list`	LIST access for Processed events
`events.processed.read`	READ access for Processed events

JS execution logs

Permission	Description
`events.js_executor.create`	CREATE access for Js Executor events
`events.js_executor.delete`	DELETE access for Js Executor events
`events.js_executor.list`	LIST access for Js Executor events
`events.js_executor.read`	READ access for Js Executor events

Router events

Permission	Description
`events.router.create`	CREATE access for Router events
`events.router.delete`	DELETE access for Router events
`events.router.list`	LIST access for Router events
`events.router.read`	READ access for Router events

Business rule events

Permission	Description
`events.business_rule.create`	CREATE access for Business Rule events
`events.business_rule.delete`	DELETE access for Business Rule events
`events.business_rule.list`	LIST access for Business Rule events
`events.business_rule.read`	READ access for Business Rule events

Trigger execution events

Permission	Description
`events.trigger.create`	CREATE access for Trigger events
`events.trigger.delete`	DELETE access for Trigger events
`events.trigger.list`	LIST access for Trigger events
`events.trigger.read`	READ access for Trigger events

Audit events

Permission	Description
`events.audit.create`	CREATE access for Audit events
`events.audit.delete`	DELETE access for Audit events
`events.audit.list`	LIST access for Audit events
`events.audit.read`	READ access for Audit events

Notification events

Permission	Description
`events.notifications.create`	CREATE access for Notifications events
`events.notifications.delete`	DELETE access for Notifications events
`events.notifications.list`	LIST access for Notifications events
`events.notifications.read`	READ access for Notifications events

General (all streams)

Permission	Description
`events.create`	CREATE access for all event streams
`events.delete`	DELETE access for all event streams
`events.list`	LIST access for all event streams
`events.read`	READ access for all event streams

Best practices

Practice	Recommendation
Prefer groups	Use group-based memberships for enterprise teams
Least privilege	Start with read-only and add permissions intentionally
Isolate sensitive branches	Apply `RolePolicy = strict` where inheritance must be blocked
Audit access	Regularly review memberships, group composition, and role definitions

Next steps

Organizations — Multi-tenant hierarchy and scope rules
Rules & Business Rules — Automation model and persistent logs
Events & Pipeline — Event retention (TTL) and query patterns

Roles & Permissions ​

Core model ​

Permission ​

Role ​

Membership ​

Permission naming conventions ​

Actions (typical) ​

Wildcards ​

Scope and inheritance ​

Examples ​

Read-only operator (events + assets) ​

Automation engineer (rules + triggers) ​

Platform admin (full access) ​

Permission reference (v1.0.0) ​

Platform ​

Core platform ​

auth ​

organizations ​

users ​

groups ​

roles ​

memberships ​

lists ​

Ingestion & asset management ​

datasources ​

assets ​

assettemplates ​

Routing ​

routegroups ​

Automation ​

rules ​

businessrules ​

triggers ​

jobs ​

Events ​

Raw events (gateway ingress) ​

Processed events (normalized) ​

JS execution logs ​

Router events ​

Business rule events ​

Trigger execution events ​

Audit events ​

Notification events ​

General (all streams) ​

Best practices ​

Next steps ​