| Role |
Description |
platform_admin |
Full access to all platform operations. Wildcard (*) permission. |
platform_operator |
Tenant management, full impersonation (read + write), read access to users, keys, and roles. |
platform_viewer |
Read-only access to all platform resources. |
The three built-in platform roles are seeded by migration into org_platform. Custom platform roles can be created — see Platform RBAC.
Built-in platform roles cannot be deleted or renamed via the API. Attempts to do so return 400 cannot delete built-in role / 400 cannot update built-in role and emit a delete_blocked / update_blocked audit event.
| Action |
Description |
platform:users:read |
List and view platform users |
platform:users:manage |
Create, update, and delete platform users |
platform:keys:read |
List and view platform API keys |
platform:keys:manage |
Create, rotate, and delete platform API keys |
platform:roles:read |
List and view platform roles |
platform:roles:manage |
Create, update, and delete custom roles |
platform:tenants:read |
List and view tenant organizations |
platform:tenants:manage |
Provision and delete tenant organizations |
platform:impersonate:read |
Read-only impersonation of tenant orgs (GET, HEAD, OPTIONS) |
platform:impersonate |
Write access to tenant orgs (POST, PUT, DELETE) |
platform:audit:read |
Query the platform audit log |
platform:policies:read |
List and view platform policies |
platform:policies:manage |
Create, update, and delete platform policies |
| Action |
Admin |
Operator |
Viewer |
platform:users:read |
Yes |
Yes |
Yes |
platform:users:manage |
Yes |
— |
— |
platform:keys:read |
Yes |
Yes |
Yes |
platform:keys:manage |
Yes |
— |
— |
platform:roles:read |
Yes |
Yes |
Yes |
platform:roles:manage |
Yes |
— |
— |
platform:tenants:read |
Yes |
Yes |
Yes |
platform:tenants:manage |
Yes |
Yes |
— |
platform:impersonate:read |
Yes |
Yes |
Yes |
platform:impersonate |
Yes |
Yes |
— |
platform:policies:read |
Yes |
— |
— |
platform:policies:manage |
Yes |
— |
— |
platform:audit:read |
Yes |
Yes |
Yes |
The platform middleware maps HTTP methods and paths to actions:
| Path Pattern |
GET |
POST/PUT/DELETE |
/api/v1/platform/users* |
platform:users:read |
platform:users:manage |
/api/v1/apikeys?platform=true |
platform:keys:read |
platform:keys:manage |
/api/v1/platform/roles* |
platform:roles:read |
platform:roles:manage |
/api/v1/platform/policies* |
platform:policies:read |
platform:policies:manage |
/api/v1/platform/tenants* (or /api/v1/platform/orgs*) |
platform:tenants:read |
platform:tenants:manage |
/api/v1/platform/audit* |
platform:audit:read |
platform:audit:read |
/api/v1/platform/auth* |
(public) |
(public) |
Notes:
- Platform API keys are listed/managed through the tenant
/api/v1/apikeys route with ?platform=true; the action is selected inline by the apikey handler (platform:keys:read for GET, platform:keys:manage otherwise).
- The audit path maps to
platform:audit:read for any HTTP method. Only GET routes are registered today, so non-GET requests 404 before authz runs.
For impersonation (non-platform endpoints with X-Ironflow-Org header):
| HTTP Method |
Required Action |
| GET, HEAD, OPTIONS |
platform:impersonate:read |
| POST, PUT, DELETE |
platform:impersonate |
| Resource |
Prefix |
Example |
| Platform user |
puser_ |
puser_a1b2c3d4 |
| API key (all types) |
ak_ |
ak_e5f6g7h8 |
| Role (built-in) |
role_ |
role_platform_admin |
| Role (custom platform) |
prole_ |
prole_a1b2c3d4 |
| Policy (unified) |
pol_ |
pol_def456 |
| Tenant (organization) |
org_ |
org_x1y2z3w4 |
| Platform key value |
ifplatform_ |
ifplatform_a1b2... (43 chars) |
| Tenant key value |
ifkey_ |
ifkey_a1b2... (38 chars) |