Permission
Permission protocol schemas
Entity (Object) Level Permissions
Defines CRUD + VAMA (View All / Modify All) + Lifecycle access.
Refined with enterprise data lifecycle controls:
-
Transfer (Ownership change)
-
Restore (Soft delete recovery)
-
Purge (Hard delete / Compliance)
Source: packages/spec/src/security/permission.zod.ts
TypeScript Usage
import { FieldPermission, ObjectPermission, PermissionSet } from '@objectstack/spec/security';
import type { FieldPermission, ObjectPermission, PermissionSet } from '@objectstack/spec/security';
// Validate data
const result = FieldPermission.parse(data);FieldPermission
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| readable | boolean | ✅ | Field read access |
| editable | boolean | ✅ | Field edit access |
ObjectPermission
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| allowCreate | boolean | ✅ | Create permission |
| allowRead | boolean | ✅ | Read permission |
| allowEdit | boolean | ✅ | Edit permission |
| allowDelete | boolean | ✅ | Delete permission |
| allowTransfer | boolean | ✅ | Change record ownership |
| allowRestore | boolean | ✅ | Restore from trash (Undelete) |
| allowPurge | boolean | ✅ | Permanently delete (Hard Delete/GDPR) |
| viewAllRecords | boolean | ✅ | View All Data (Bypass Sharing) |
| modifyAllRecords | boolean | ✅ | Modify All Data (Bypass Sharing) |
PermissionSet
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| name | string | ✅ | Permission set unique name (lowercase snake_case) |
| label | string | optional | Display label |
| isProfile | boolean | ✅ | Whether this is a user profile |
| objects | Record<string, Object> | ✅ | Entity permissions |
| fields | Record<string, Object> | optional | Field level security |
| systemPermissions | string[] | optional | System level capabilities |
| tabPermissions | Record<string, Enum<'visible' | 'hidden' | 'default_on' | 'default_off'>> | optional | App/tab visibility: visible, hidden, default_on (shown by default), default_off (available but hidden initially) |
| rowLevelSecurity | Object[] | optional | Row-level security policies (see rls.zod.ts for full spec) |
| contextVariables | Record<string, any> | optional | Context variables for RLS evaluation |