Role-Based Access Control - Meander Platform | Generated by Eircodex v8.8.6

Description

Authorization layer that enforces the four canonical roles (Peer Mentor, Coordinator, Organization Admin, Global Admin) and their access boundaries across both operational products. Determines which product a user can log in to (mobile vs admin portal), which screens and APIs they can reach, and how an Organization Admin is surfaced as a Coordinator on mobile. Also enforces strict tenant isolation: Global Admins have no default access to an org's data and must be granted time-bounded support access logged in the audit trail.

Sources & reasoning

Source defines four roles and strict tenant isolation rules in §Core Roles, and lists RBAC under Mobile App Architecture Auth & Access as well as the §5 Fase 1 MVP scope (two mobile role profiles, two admin role profiles). Target_release matches the source phase name 'MVP'.

docs/source/likeperson.md · line 189-193

4 defined user roles: Peer Mentor, Coordinator, Organization Administrator, Global Administrator
docs/source/likeperson.md · line 193

No default access to an organization's operational data ... Tenant separation is strict ... Orgs can grant a Global Admin time-bounded support access
docs/source/likeperson.md · line 212

Role-based access control - Peer Mentor and Coordinator roles
docs/source/likeperson.md · line 242

2 mobilrolle-profiler: Peer Mentor, Coordinator (Organization Admins logger på som Coordinator i app-konteksten)

Analysis

Business Value

RBAC is the gate that makes multi-tenant operation safe. Without it, a Coordinator from one organization could see another's activities, a Global Admin could silently read tenant data, and Org Admins could escalate themselves. Strict tenant isolation is a contractual requirement for organizations handling Bufdir-funded program data and sensitive personal information (epicrises, fødselsnummer). The audit-logged time-bounded support access flag is what lets pilot organizations accept Norse support involvement at all without violating their own data-protection commitments. Critical for MVP because every other feature relies on it for access decisions.

Implementation Notes

Authorization lives in the consuming products, not in the Authentication Module - the module only emits identity and a generic claims bag containing role and organization membership. Role-Guard middleware runs on every API endpoint in the Next.js backend and checks (role, organization_id, requested resource) against a policy table. Mobile clients use role claims to render the correct home dashboard and to surface Org Admins as Coordinators. The time-bounded Norse-support-access flag lives in organization_settings; expiry is enforced at request time, not just at session start. Every support session writes an entry to the org's audit_logs table.

Quality Assurance

No QA section has been generated for this feature yet.

Components (4)

Service Layer (1)

service Role Guard medium

Data Layer (1)

data Role Store medium

Shared Components

These components are reused across multiple features

User Interface (1)

ui A11y Primitives medium Shared

Service Layer (1)

service Statement Content Service medium Shared

User Stories

No user stories have been generated for this feature yet.