PDR-005: ABAC v2 Policy Engine

Context

We need fine-grained access control for APIs, teams, and organizations. Role-based access was insufficient.

Decision

ABAC v2 — Hierarchical policy engine. Evaluation order (all-or-nothing, early exit):

Super Admin (platform:super_admin) → immediate grant
Org Isolation (userOrgId == resourceOrgId) → deny if cross-org
Org Admin Override (org:admin or org:manage) → skip remaining checks
Resource-Specific Evaluator → team isolation for API/TEAM resources
Resource Permission Check → final deny if permission missing

Permission levels: VIEW < MANAGE < ADMIN (hierarchical inheritance).

Rationale

Org-scoped resources: ORGANISATION, USER, PROJECT
Team-scoped resources: API, TEAM (require team isolation for non-READ)
Clerk provides AuthN; ABAC provides AuthZ

Consequences

Positive: Fine-grained; supports multi-tenant
Negative: Complex evaluation order; must be documented

Last updated on March 16, 2026

PDR-004 Subscription AuthZ Phased Rollout PDR-006 Agentic Integration Architecture