Platform Roles & Actions

Built-in Roles

Role	Description
`platform_admin`	Full access to all platform operations. Wildcard (`*`) permission.
`platform_operator`	Tenant management, full impersonation (read + write), read access to users, keys, and roles.
`platform_viewer`	Read-only access to all platform resources.

The three built-in platform roles are seeded by migration into org_platform. Custom platform roles can be created — see Platform RBAC.

Built-in protection gap

Today the delete/update protection check gates on the is_default flag, and the platform built-ins are seeded with is_default=0. They are effectively unprotected at the handler level. Track issue: built-in platform roles should be either seeded with is_default=1 or guarded by an explicit ID allowlist (matching the tenant role handler).

Actions

Action	Description
`platform:users:read`	List and view platform users
`platform:users:manage`	Create, update, and delete platform users
`platform:keys:read`	List and view platform API keys
`platform:keys:manage`	Create, rotate, and delete platform API keys
`platform:roles:read`	List and view platform roles and policies
`platform:roles:manage`	Create, update, and delete custom roles and policies
`platform:tenants:read`	List and view tenant organizations
`platform:tenants:manage`	Provision and delete tenant organizations
`platform:impersonate:read`	Read-only impersonation of tenant orgs (GET, HEAD, OPTIONS)
`platform:impersonate`	Write access to tenant orgs (POST, PUT, DELETE)
`platform:audit:read`	Query the platform audit log
`platform:policies:read`	List and view platform policies
`platform:policies:manage`	Create, update, and delete platform policies

Actions by Role

Action	Admin	Operator	Viewer
`platform:users:read`	Yes	Yes	Yes
`platform:users:manage`	Yes	—	—
`platform:keys:read`	Yes	Yes	Yes
`platform:keys:manage`	Yes	—	—
`platform:roles:read`	Yes	Yes	Yes
`platform:roles:manage`	Yes	—	—
`platform:tenants:read`	Yes	Yes	Yes
`platform:tenants:manage`	Yes	Yes	—
`platform:impersonate:read`	Yes	Yes	Yes
`platform:impersonate`	Yes	Yes	—
`platform:policies:read`	Yes	—	—
`platform:policies:manage`	Yes	—	—
`platform:audit:read`	Yes	Yes	Yes

HTTP Method Mapping

The platform middleware maps HTTP methods and paths to actions:

Path Pattern	GET	POST/PUT/DELETE
`/api/v1/platform/users*`	`platform:users:read`	`platform:users:manage`
`/api/v1/apikeys?platform=true`	`platform:keys:read`	`platform:keys:manage`
`/api/v1/platform/roles*`	`platform:roles:read`	`platform:roles:manage`
`/api/v1/platform/policies*`	`platform:policies:read`	`platform:policies:manage`
`/api/v1/platform/tenants` (or `/api/v1/platform/orgs`)	`platform:tenants:read`	`platform:tenants:manage`
`/api/v1/platform/audit*`	`platform:audit:read`	`platform:audit:read`
`/api/v1/platform/auth*`	(public)	(public)

Notes:

Platform API keys are listed/managed through the tenant /api/v1/apikeys route with ?platform=true; the action is selected inline by the apikey handler (platform:keys:read for GET, platform:keys:manage otherwise).
The audit path maps to platform:audit:read for any HTTP method. Only GET routes are registered today, so non-GET requests 404 before authz runs.

For impersonation (non-platform endpoints with X-Ironflow-Org header):

HTTP Method	Required Action
GET, HEAD, OPTIONS	`platform:impersonate:read`
POST, PUT, DELETE	`platform:impersonate`

ID Formats

Resource	Prefix	Example
Platform user	`puser_`	`puser_a1b2c3d4`
API key (all types)	`ak_`	`ak_e5f6g7h8`
Role (built-in)	`role_`	`role_platform_admin`
Role (custom platform)	`prole_`	`prole_a1b2c3d4`
Policy (unified)	`pol_`	`pol_def456`
Tenant (organization)	`org_`	`org_x1y2z3w4`
Platform key value	`ifplatform_`	`ifplatform_a1b2...` (43 chars)
Tenant key value	`ifkey_`	`ifkey_a1b2...` (38 chars)