Skip to main content
Permissions determine what operations are allowed on a resource. In Frontier, permissions are represented as service.resource.verb (e.g., app.organization.update).

Permission Structure

Permissions typically correspond one-to-one with API methods. To call an API, the user must have the associated permission. 
type Permission struct {
    ID          string
    Name        string            // e.g., "update"
    Slug        string            // e.g., "app_organization_update"
    NamespaceID string            // e.g., "app/organization"
    Metadata    map[string]any
    CreatedAt   time.Time
    UpdatedAt   time.Time
}
You don’t grant permissions to users directly. Instead, you assign roles containing the appropriate permissions to users via policies.

Namespaces

A namespace is a logical container that organizes related permissions and resources. It provides:
  • Organization: Groups related entities together
  • Scope: Defines the boundary of authorization
  • Granularity: Enables fine-grained access control

Example Namespaces

  • app/organization - Organization management permissions
  • app/project - Project-level permissions
  • app/group - Group management permissions
  • potato/cart - Custom shopping cart permissions
  • compute/instance - Compute instance permissions

Predefined Permissions

Frontier includes predefined permissions for managing core resources.

Organization Permissions

PermissionDescription
app.organization.administerFull administrative access to the organization
app.organization.deleteDelete the organization
app.organization.updateModify organization details
app.organization.getView organization information
app.organization.rolemanageManage roles within the organization
app.organization.policymanageManage access control policies
app.organization.projectlistList projects in the organization
app.organization.grouplistList groups in the organization
app.organization.invitationlistList user invitations
app.organization.projectcreateCreate new projects
app.organization.groupcreateCreate new groups
app.organization.invitationcreateCreate new invitations
app.organization.serviceusermanageManage service users
app.organization.billingmanageManage billing and purchases
app.organization.billingviewView billing information
Organization-level permissions cascade to projects, groups, and resources within that organization due to hierarchical inheritance.

Project Permissions

PermissionDescription
app.project.administerFull administrative access to the project
app.project.deleteDelete the project
app.project.updateModify project details
app.project.getView project information
app.project.policymanageManage project access policies
app.project.resourcelistList resources in the project

Group Permissions

PermissionDescription
app.group.administerFull administrative access to the group
app.group.deleteDelete the group
app.group.updateModify group details
app.group.getView group information

Permission Hierarchy

Higher-level permissions include the capabilities of lower-level ones: 
administer > delete > update > get
For example, app.organization.administer grants all other organization permissions.

Custom Permissions

Frontier superusers can create custom permissions for application-specific resources.

When to Use Custom Permissions

Create custom permissions when:
  • Predefined permissions don’t meet your requirements
  • You need resource-specific access control
  • You’re integrating external services
  • You want granular control over custom features

Creating Custom Permissions

Custom permissions can be created:
  1. Dynamically via API while Frontier is running
  2. Declaratively in config using resource configuration files
1

Define Permission Requirements

Identify the namespace and actions needed for your resource
Example: Shopping Cart Permissions
permissions:
  - name: delete
    namespace: potato/cart
  - name: update  
    namespace: potato/cart
  - name: get
    namespace: potato/cart
2

Generate Permission Slugs

Frontier automatically generates slugs by combining namespace and name:
  • delete in potato/cartpotato_cart_delete
  • update in potato/cartpotato_cart_update
  • get in potato/cartpotato_cart_get
3

Create via API or Config

Add permissions using the Admin API or resource configuration
4

Use in Roles

Reference permission slugs when creating custom roles

Permission Configuration File

Define custom permissions in YAML:
potato-cart-permissions.yaml
permissions:
  - name: delete
    namespace: potato/cart
    metadata:
      description: "Allows deleting items from the shopping cart"
  - name: update
    namespace: potato/cart
    metadata:
      description: "Allows updating shopping cart contents"
  - name: get
    namespace: potato/cart
    metadata:
      description: "Allows viewing shopping cart details"
Load in Frontier config:
config.yaml
app:
  resources:
    - config/potato-cart-permissions.yaml

Checking Permissions

To verify if a user has a specific permission on a resource, use the Check API: 
curl -L -X POST 'http://127.0.0.1:7400/v1beta1/check' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Basic dGVzdC1jbGllbnQtaWQ6dGVzdC1zZWNyZXQ=' \
--data-raw '{
  "permission": "get",
  "resource": "app/organization:acme-corp"
}'

Resource Format

The resource field accepts multiple formats: 
app/organization:92f69c3a-334b-4f25-90b8-4d4f3be6b825
app/project:550e8400-e29b-41d4-a716-446655440000
potato/cart:123e4567-e89b-12d3-a456-426614174000
User credentials are automatically extracted from the session, access token, or client ID/secret in request headers.

Managing Permissions via API

These APIs require special privileges. Use Client ID/Secret or Access Token for authorization.

List Permissions

Retrieve all permissions, optionally filtered by namespace: 
curl -L -X GET 'http://127.0.0.1:7400/v1beta1/permissions' \
-H 'Accept: application/json' \
-H 'Authorization: Basic ...'
Filter by namespace: 
curl -L -X GET 'http://127.0.0.1:7400/v1beta1/permissions?namespace=app/organization' \
-H 'Accept: application/json'

Get Permission Details

Fetch a specific permission by ID or slug: 
curl -L -X GET 'http://127.0.0.1:7400/v1beta1/permissions/app_organization_update' \
-H 'Accept: application/json'

Create Custom Permission

Create a new permission (superuser only): 
curl -L -X POST 'http://127.0.0.1:7400/v1beta1/permissions' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data-raw '{
  "name": "deploy",
  "namespace": "compute/instance",
  "metadata": {
    "description": "Deploy compute instances"
  }
}'

Update Permission

Update permission metadata: 
curl -L -X PUT 'http://127.0.0.1:7400/v1beta1/permissions/compute_instance_deploy' \
-H 'Content-Type: application/json' \
--data-raw '{
  "metadata": {
    "description": "Deploy and restart compute instances"
  }
}'

Delete Permission

Deleting a permission removes it from all roles and may break existing access control. Use with caution.
curl -L -X DELETE 'http://127.0.0.1:7400/v1beta1/permissions/custom_permission_slug' \
-H 'Accept: application/json'

Permission Name Parsing

Frontier automatically converts between different permission formats: 
// All these formats resolve to the same slug
ParsePermissionName("app.organization.update")    // → app_organization_update
ParsePermissionName("app/organization:update")    // → app_organization_update  
ParsePermissionName("app/organization#update")    // → app_organization_update
ParsePermissionName("app_organization_update")    // → app_organization_update

Best Practices

Choose permission names that clearly indicate the action (e.g., delete, update, list) rather than vague terms.
Use consistent namespace patterns like service/resource to organize permissions logically.
Design permission hierarchies where higher-level permissions include lower-level ones (e.g., administer > update > get).
Add descriptive metadata to custom permissions to help administrators understand their purpose.
Always verify permission checks work as expected before deploying to production.

Next Steps

Roles

Create roles that bundle permissions together

Policies

Bind roles to users and resources with policies

Build docs developers (and LLMs) love

Get started for freeTalk to us