跳转到内容

AuthorizationService

此内容尚不支持你的语言。

Resolves the effective permission set for a principal so a resource server can make authorization decisions without owning the role and permission data itself.

Method Description
ResolvePrincipalPermissions Resolve the effective permissions for one (subject, org, principal type)
CheckOrgSuspended Check whether an organization is currently suspended
Value Description
PRINCIPAL_TYPE_USER An end user identified by their user UUID, scoped to one organization.
PRINCIPAL_TYPE_ORG An organization acting as its own principal (e.g. a service identity operating on behalf of the whole org rather than a member).
PRINCIPAL_TYPE_STAFF A platform staff principal whose permissions derive from a platform role.

Resolve the effective permissions for one (subject, org, principal type). Returns the principal’s full permission set — it is never narrowed by an OAuth scope. The calling resource server is responsible for intersecting the result with the permissions granted by the token’s scope (effective permissions = scope ∩ role).

An unresolvable subject or organization yields an empty permission set with no error. A missing subject, missing org_id, or PRINCIPAL_TYPE_UNSPECIFIED is rejected with INVALID_ARGUMENT.

Authorization: Internal service only

Request: ResolvePrincipalPermissionsRequest

Section titled “Request: ResolvePrincipalPermissionsRequest”
Field Type Description
subject string UUID of the subject whose permissions are being resolved.
org_id string Organization the resolution is scoped to.
principal_type PrincipalType Kind of principal identified by subject.

Response: ResolvePrincipalPermissionsResponse

Section titled “Response: ResolvePrincipalPermissionsResponse”
Field Type Description
permissions Permission[] Flattened, deduplicated set of permissions granted to the principal in the requested organization. Empty when the principal has no grants.

Check whether an organization is currently suspended. Serving backends may answer from a short-TTL cache, so callers can observe bounded staleness after a suspension state change.

Authorization: Internal service only

Field Type Description
org_id string Organization whose suspension state is being checked.
Field Type Description
suspended bool True when the organization is currently suspended.