Skip to content

Platform Roles & Actions

Role Description
platform_admin Full access to all platform operations. Wildcard (*) permission.
platform_operator Tenant management, full impersonation (read + write), read access to users, keys, and roles.
platform_viewer Read-only access to all platform resources.

The three built-in platform roles are seeded by migration into org_platform. Custom platform roles can be created — see Platform RBAC.

Built-in platform roles cannot be deleted or renamed via the API. Attempts to do so return 400 cannot delete built-in role / 400 cannot update built-in role and emit a delete_blocked / update_blocked audit event.


Action Description
platform:users:read List and view platform users
platform:users:manage Create, update, and delete platform users
platform:keys:read List and view platform API keys
platform:keys:manage Create, rotate, and delete platform API keys
platform:roles:read List and view platform roles
platform:roles:manage Create, update, and delete custom roles
platform:tenants:read List and view tenant organizations
platform:tenants:manage Provision and delete tenant organizations
platform:impersonate:read Read-only impersonation of tenant orgs (GET, HEAD, OPTIONS)
platform:impersonate Write access to tenant orgs (POST, PUT, DELETE)
platform:audit:read Query the platform audit log
platform:policies:read List and view platform policies
platform:policies:manage Create, update, and delete platform policies

Action Admin Operator Viewer
platform:users:read Yes Yes Yes
platform:users:manage Yes
platform:keys:read Yes Yes Yes
platform:keys:manage Yes
platform:roles:read Yes Yes Yes
platform:roles:manage Yes
platform:tenants:read Yes Yes Yes
platform:tenants:manage Yes Yes
platform:impersonate:read Yes Yes Yes
platform:impersonate Yes Yes
platform:policies:read Yes
platform:policies:manage Yes
platform:audit:read Yes Yes Yes

The platform middleware maps HTTP methods and paths to actions:

Path Pattern GET POST/PUT/DELETE
/api/v1/platform/users* platform:users:read platform:users:manage
/api/v1/apikeys?platform=true platform:keys:read platform:keys:manage
/api/v1/platform/roles* platform:roles:read platform:roles:manage
/api/v1/platform/policies* platform:policies:read platform:policies:manage
/api/v1/platform/tenants* (or /api/v1/platform/orgs*) platform:tenants:read platform:tenants:manage
/api/v1/platform/audit* platform:audit:read platform:audit:read
/api/v1/platform/auth* (public) (public)

Notes:

  • Platform API keys are listed/managed through the tenant /api/v1/apikeys route with ?platform=true; the action is selected inline by the apikey handler (platform:keys:read for GET, platform:keys:manage otherwise).
  • The audit path maps to platform:audit:read for any HTTP method. Only GET routes are registered today, so non-GET requests 404 before authz runs.

For impersonation (non-platform endpoints with X-Ironflow-Org header):

HTTP Method Required Action
GET, HEAD, OPTIONS platform:impersonate:read
POST, PUT, DELETE platform:impersonate

Resource Prefix Example
Platform user puser_ puser_a1b2c3d4
API key (all types) ak_ ak_e5f6g7h8
Role (built-in) role_ role_platform_admin
Role (custom platform) prole_ prole_a1b2c3d4
Policy (unified) pol_ pol_def456
Tenant (organization) org_ org_x1y2z3w4
Platform key value ifplatform_ ifplatform_a1b2... (43 chars)
Tenant key value ifkey_ ifkey_a1b2... (38 chars)