AuthorizationService
此内容尚不支持你的语言。
Resolves the effective permission set for a principal so a resource server can make authorization decisions without owning the role and permission data itself.
Methods
Section titled “Methods”| Method | Description |
|---|---|
ResolvePrincipalPermissions |
Resolve the effective permissions for one (subject, org, principal type) |
CheckOrgSuspended |
Check whether an organization is currently suspended |
Principal Types
Section titled “Principal Types”| Value | Description |
|---|---|
PRINCIPAL_TYPE_USER |
An end user identified by their user UUID, scoped to one organization. |
PRINCIPAL_TYPE_ORG |
An organization acting as its own principal (e.g. a service identity operating on behalf of the whole org rather than a member). |
PRINCIPAL_TYPE_STAFF |
A platform staff principal whose permissions derive from a platform role. |
ResolvePrincipalPermissions
Section titled “ResolvePrincipalPermissions”Resolve the effective permissions for one (subject, org, principal type). Returns the principal’s full permission set — it is never narrowed by an OAuth scope. The calling resource server is responsible for intersecting the result with the permissions granted by the token’s scope (effective permissions = scope ∩ role).
An unresolvable subject or organization yields an empty permission set with no error. A missing subject, missing org_id, or PRINCIPAL_TYPE_UNSPECIFIED is rejected with INVALID_ARGUMENT.
Authorization: Internal service only
Request: ResolvePrincipalPermissionsRequest
Section titled “Request: ResolvePrincipalPermissionsRequest”| Field | Type | Description |
|---|---|---|
subject |
string |
UUID of the subject whose permissions are being resolved. |
org_id |
string |
Organization the resolution is scoped to. |
principal_type |
PrincipalType |
Kind of principal identified by subject. |
Response: ResolvePrincipalPermissionsResponse
Section titled “Response: ResolvePrincipalPermissionsResponse”| Field | Type | Description |
|---|---|---|
permissions |
Permission[] |
Flattened, deduplicated set of permissions granted to the principal in the requested organization. Empty when the principal has no grants. |
CheckOrgSuspended
Section titled “CheckOrgSuspended”Check whether an organization is currently suspended. Serving backends may answer from a short-TTL cache, so callers can observe bounded staleness after a suspension state change.
Authorization: Internal service only
Request: CheckOrgSuspendedRequest
Section titled “Request: CheckOrgSuspendedRequest”| Field | Type | Description |
|---|---|---|
org_id |
string |
Organization whose suspension state is being checked. |
Response: CheckOrgSuspendedResponse
Section titled “Response: CheckOrgSuspendedResponse”| Field | Type | Description |
|---|---|---|
suspended |
bool |
True when the organization is currently suspended. |