|
| 1 | +# Identity Permissions Model |
| 2 | + |
| 3 | +## Status |
| 4 | + |
| 5 | +This is a planning document for GameFoundryStudio identity, roles, permissions, visibility, and security boundaries. |
| 6 | + |
| 7 | +It stays focused on ownership and security. It does not define storage schema, database tables, API routes, authentication implementation, authorization middleware, page behavior, or runtime behavior. |
| 8 | + |
| 9 | +This document does not authorize runtime changes, database implementation, authentication implementation, page changes, CSS changes, JavaScript changes, or schema migrations. |
| 10 | + |
| 11 | +## Core Rules |
| 12 | + |
| 13 | +- No database object can be created without an owner. |
| 14 | +- No shareable object can exist without visibility. |
| 15 | +- No editable object can exist without permissions. |
| 16 | +- Owner has full control unless restricted by platform policy. |
| 17 | +- Admin can administer platform-level records. |
| 18 | +- Moderator can moderate community/public records. |
| 19 | +- Contributor can edit only granted scopes. |
| 20 | +- Reviewer can review/approve only granted scopes. |
| 21 | +- Guest can view only public content. |
| 22 | +- Permissions must be evaluated against the object and scope, not only against the current route or UI surface. |
| 23 | +- Visibility must be explicit and must not be inferred from missing data. |
| 24 | +- Platform policy can restrict any role when required for safety, legal, moderation, abuse prevention, or operational integrity. |
| 25 | + |
| 26 | +## Identity |
| 27 | + |
| 28 | +Identity is the security foundation that connects a person or platform actor to platform-owned and user-owned records. |
| 29 | + |
| 30 | +Identity components: |
| 31 | +- User |
| 32 | +- Profile |
| 33 | +- External identity provider |
| 34 | +- Account status |
| 35 | + |
| 36 | +### User |
| 37 | + |
| 38 | +Purpose: |
| 39 | +- User is the primary platform account record. |
| 40 | +- User owns identity-linked data and may own projects, assets, comments, ratings, marketplace items, and other records. |
| 41 | + |
| 42 | +Security notes: |
| 43 | +- Every User must have a stable internal id. |
| 44 | +- User identity data is private by default. |
| 45 | +- User-owned data must not become public unless a shareable object with explicit visibility exposes it. |
| 46 | +- User records are not portable manifests. |
| 47 | + |
| 48 | +### Profile |
| 49 | + |
| 50 | +Purpose: |
| 51 | +- Profile is the user-facing identity surface. |
| 52 | +- Profile may expose display name, creator identity, avatar, public biography, links, badges, and public activity summaries. |
| 53 | + |
| 54 | +Security notes: |
| 55 | +- Profile visibility must be explicit. |
| 56 | +- Profile data should not expose private User, credential, provider, or account-status data. |
| 57 | +- Moderator or Admin actions may restrict a public Profile under platform policy. |
| 58 | + |
| 59 | +### External Identity Provider |
| 60 | + |
| 61 | +Purpose: |
| 62 | +- External identity provider links a User to an authentication source such as OAuth, SSO, email provider, or future identity service. |
| 63 | + |
| 64 | +Security notes: |
| 65 | +- Provider identifiers and credentials are private. |
| 66 | +- Provider tokens, secrets, and verification internals are never portable export data. |
| 67 | +- External identity provider records are platform-controlled even when attached to a User. |
| 68 | + |
| 69 | +### Account Status |
| 70 | + |
| 71 | +Purpose: |
| 72 | +- Account status describes whether a User can access, create, share, publish, or administer platform records. |
| 73 | + |
| 74 | +Planned statuses: |
| 75 | +- Active |
| 76 | +- Pending |
| 77 | +- Suspended |
| 78 | +- Disabled |
| 79 | +- Deleted |
| 80 | + |
| 81 | +Security notes: |
| 82 | +- Account status may restrict otherwise granted permissions. |
| 83 | +- Suspended, disabled, or deleted accounts must not silently retain active publishing, marketplace, moderation, or admin capabilities. |
| 84 | +- Account status changes should be auditable in a later implementation. |
| 85 | + |
| 86 | +## Roles |
| 87 | + |
| 88 | +| Role | Purpose | Boundary | |
| 89 | +| --- | --- | --- | |
| 90 | +| Owner | Accountable owner of an object, project, release, asset, or listing. | Full control unless restricted by platform policy. | |
| 91 | +| Admin | Platform-level administrator. | Can administer platform-level records and operational settings. | |
| 92 | +| Moderator | Community/public policy moderator. | Can moderate community, public, marketplace, rating, comment, and report surfaces. | |
| 93 | +| Creator | User creating projects, assets, manifests, releases, or marketplace content. | Can create and manage owned creator content. | |
| 94 | +| Contributor | Granted participant in a project or object scope. | Can edit only granted scopes. | |
| 95 | +| Reviewer | Granted review/approval participant. | Can review or approve only granted scopes. | |
| 96 | +| Player | User consuming playable or public game content. | Can view/play allowed content and may create allowed feedback. | |
| 97 | +| Guest | Unauthenticated or minimally identified visitor. | Can view only public content. | |
| 98 | + |
| 99 | +## Permissions |
| 100 | + |
| 101 | +| Permission | Meaning | Typical Roles | |
| 102 | +| --- | --- | --- | |
| 103 | +| View | Read an object or surface. | Owner, Admin, Moderator, Creator, Contributor, Reviewer, Player, Guest when public. | |
| 104 | +| Create | Create a new object in an allowed scope. | Owner, Admin, Creator, Contributor when granted. | |
| 105 | +| Edit | Modify an existing editable object. | Owner, Admin, Creator, Contributor when granted. | |
| 106 | +| Delete | Delete, archive, retire, or remove an object. | Owner, Admin, Moderator for moderated content when policy allows. | |
| 107 | +| Share | Change sharing or invite access. | Owner, Admin, Creator when granted. | |
| 108 | +| Publish | Produce a release or public/marketplace-facing output. | Owner, Admin, Creator, Contributor when explicitly granted. | |
| 109 | +| Review | Inspect content for approval, quality, localization, safety, or publishing readiness. | Reviewer, Moderator, Admin, Owner when policy allows. | |
| 110 | +| Approve | Mark reviewed content as approved for a workflow. | Reviewer, Moderator, Admin, Owner when policy allows. | |
| 111 | +| Moderate | Hide, restrict, restore, lock, flag, or enforce policy on community/public content. | Moderator, Admin. | |
| 112 | +| Administer | Manage platform-level records, settings, policies, and operational surfaces. | Admin. | |
| 113 | + |
| 114 | +## Permission Rules |
| 115 | + |
| 116 | +- Permissions are granted by role, ownership, object policy, project membership, platform policy, or explicit workflow assignment. |
| 117 | +- Permissions must be scoped to an object, project, team, marketplace item, release, community surface, or platform area. |
| 118 | +- Contributor permissions do not imply Publish, Review, Approve, Moderate, or Administer. |
| 119 | +- Reviewer permissions do not imply Edit, Publish, Moderate, or Administer outside the granted review scope. |
| 120 | +- Moderator permissions do not imply ownership of moderated content. |
| 121 | +- Admin permissions do not make Admin the owner of user-owned or project-owned data. |
| 122 | +- Player permissions do not imply creator permissions. |
| 123 | +- Guest permissions are limited to View on public content. |
| 124 | +- Delete should be distinguished from archive, retire, hide, or moderation removal in later implementation work. |
| 125 | + |
| 126 | +## Visibility |
| 127 | + |
| 128 | +| Visibility | Meaning | Security Boundary | |
| 129 | +| --- | --- | --- | |
| 130 | +| Private | Visible only to owner and explicitly authorized services or participants. | Default for user-owned and project-owned working data. | |
| 131 | +| Shared | Visible to explicitly invited users or granted principals. | Direct share boundary. | |
| 132 | +| Project | Visible to project participants according to project roles. | Project membership boundary. | |
| 133 | +| Team | Visible to a defined team or organization group. | Team membership boundary. | |
| 134 | +| Unlisted | Accessible by explicit link or association but not discoverable. | Link/access boundary. | |
| 135 | +| Public | Visible and discoverable to public users. | Public web boundary. | |
| 136 | +| Marketplace | Visible in marketplace discovery or listing surfaces. | Marketplace and moderation boundary. | |
| 137 | +| Admin only | Visible only to Admin or authorized platform service roles. | Platform operation boundary. | |
| 138 | + |
| 139 | +## Visibility Rules |
| 140 | + |
| 141 | +- Every shareable object must have one explicit visibility value. |
| 142 | +- Visibility cannot be null, missing, or inferred. |
| 143 | +- Public visibility does not automatically grant Edit, Delete, Publish, Review, Approve, Moderate, or Administer. |
| 144 | +- Marketplace visibility requires marketplace policy and moderation readiness. |
| 145 | +- Admin only data must not leak through public, project, marketplace, export, or manifest payloads. |
| 146 | +- Moderation visibility can override public or marketplace discoverability under platform policy. |
| 147 | + |
| 148 | +## Security Boundaries |
| 149 | + |
| 150 | +### User-Owned Data |
| 151 | + |
| 152 | +Definition: |
| 153 | +- Records owned directly by a User, such as Profile data, personal settings, user-created comments, ratings, and user-owned assets. |
| 154 | + |
| 155 | +Rules: |
| 156 | +- User-owned data requires a User owner. |
| 157 | +- Export may include safe user-facing fields when policy allows. |
| 158 | +- Private identity, credential, provider, and account-status internals must not be exposed through portable manifests. |
| 159 | + |
| 160 | +### Project-Owned Data |
| 161 | + |
| 162 | +Definition: |
| 163 | +- Records owned through a Project, such as Tool States, Assets, Palettes, Game Manifest records, Releases, and project-linked Marketplace Items. |
| 164 | + |
| 165 | +Rules: |
| 166 | +- Project-owned data requires a Project owner and project permission policy. |
| 167 | +- Project visibility controls project-level access. |
| 168 | +- Child objects may need separate visibility when shared outside the project. |
| 169 | + |
| 170 | +### Public Data |
| 171 | + |
| 172 | +Definition: |
| 173 | +- Records visible to unauthenticated users or all authenticated users, such as public profiles, public releases, public comments, public community content, or public project surfaces. |
| 174 | + |
| 175 | +Rules: |
| 176 | +- Public data still has an owner. |
| 177 | +- Public data still has permissions. |
| 178 | +- Public data may be moderated, hidden, or retired under platform policy. |
| 179 | + |
| 180 | +### Marketplace Data |
| 181 | + |
| 182 | +Definition: |
| 183 | +- Records exposed through marketplace listing, discovery, asset, game, template, bundle, or creator surfaces. |
| 184 | + |
| 185 | +Rules: |
| 186 | +- Marketplace data requires owner, visibility, permissions, listing policy, and moderation readiness. |
| 187 | +- Marketplace data may reference project-owned or user-owned source records without transferring ownership. |
| 188 | +- Marketplace transaction or operational data is not portable manifest data. |
| 189 | + |
| 190 | +### Admin-Only Data |
| 191 | + |
| 192 | +Definition: |
| 193 | +- Platform operational records, policy records, security records, system settings, audit records, and protected moderation/admin surfaces. |
| 194 | + |
| 195 | +Rules: |
| 196 | +- Admin-only data is platform-controlled. |
| 197 | +- Admin-only data may be visible to Admin and authorized Service roles. |
| 198 | +- Admin-only data must not appear in user exports, manifests, marketplace payloads, or public data. |
| 199 | + |
| 200 | +### Moderation Data |
| 201 | + |
| 202 | +Definition: |
| 203 | +- Reports, enforcement decisions, hidden states, review notes, policy flags, moderation queues, and moderation audit history. |
| 204 | + |
| 205 | +Rules: |
| 206 | +- Moderation data is platform-controlled or moderator-scoped. |
| 207 | +- Moderation state may affect public or marketplace visibility. |
| 208 | +- Moderation internals are not portable export/import data. |
| 209 | +- Moderation actions should be auditable in a future implementation. |
| 210 | + |
| 211 | +## Next Sequence |
| 212 | + |
| 213 | +Platform implementation should proceed in this order: |
| 214 | + |
| 215 | +```text |
| 216 | +Users/Identity |
| 217 | +-> Roles/Permissions |
| 218 | +-> Visibility |
| 219 | +-> Projects |
| 220 | +-> Storage |
| 221 | +-> Tool State persistence |
| 222 | +``` |
| 223 | + |
| 224 | +Sequence rules: |
| 225 | +- Users/Identity must exist before durable ownership. |
| 226 | +- Roles/Permissions must exist before editable shared objects. |
| 227 | +- Visibility must exist before shareable objects. |
| 228 | +- Projects must exist before project-owned tool state, assets, palettes, manifests, releases, or marketplace content. |
| 229 | +- Storage must exist before Tool State persistence. |
| 230 | +- Tool State persistence must not arrive before ownership, permissions, visibility, and project boundaries are defined. |
| 231 | + |
| 232 | +## Non-Goals |
| 233 | + |
| 234 | +This document does not: |
| 235 | +- define database storage |
| 236 | +- define SQL schema |
| 237 | +- define API routes |
| 238 | +- implement authentication |
| 239 | +- implement authorization checks |
| 240 | +- implement storage |
| 241 | +- implement Tool State persistence |
| 242 | +- implement Admin pages |
| 243 | +- implement Account pages |
| 244 | +- change runtime behavior |
| 245 | +- change CSS, HTML, JavaScript, TypeScript, or JSON files |
0 commit comments