RecipesRoles rules
Rules Structure
Rules are the fundamental building blocks that define access to specific resources and actions.
Rule Definition
interface Rule {
rlid: string // Unique rule identifier (UUID)
name: string // Human-readable name
resource: string // Resource path (e.g., '/users', '/wallets/:wid')
action: string // Operation (e.g., 'create', 'edit', 'delete', 'list', 'get')
description: string // Description of what the rule allows
}Creating a Rule
const createRuleResult = await broadcastRequest({
action: 'add',
resource: '/rules',
details: {
rlid: uuidv4(),
name: 'create-users-rule',
resource: '/users',
action: 'create',
description: 'Allows creating new users',
},
})
const ruleId = createRuleResult.details.rlidResource Path Patterns
| Pattern | Example | Description |
|---|---|---|
| Static path | /users | Exact resource match |
| Parameterized | /wallets/:wid | Wallet-specific resource |
| Nested | /wallets/:wid/balances | Sub-resource of a wallet |
| Wildcard | * | All resources |
Common Actions
| Action | Description |
|---|---|
list | Retrieve collection of resources |
get | Retrieve single resource |
create | Create new resource |
add | Add item to collection (e.g., spend-request) |
edit | Modify existing resource |
delete | Remove resource |
invite | Send user invitation |
approve | Approve a proposal |
review | Review a proposal |
addUsers | Add users to role/group |
removeUsers | Remove users from role/group |
addRules | Add rules to role |
removeRules | Remove rules from role |
addRecipients | Add recipients to group |
removeRecipients | Remove recipients from group |
* | All actions (wildcard) |
Wildcard Rules
// Super Admin rule - access everything
const superAdminRule = {
rlid: uuidv4(),
name: 'full-access',
resource: '*',
action: '*',
description: 'Full access to all resources and actions',
}
// All actions on specific resource
const allWalletActions = {
rlid: uuidv4(),
name: 'all-wallet-actions',
resource: '/wallets',
action: '*',
description: 'All operations on wallets',
}Proposal Approval Filters
Rules for proposal approval can include filters that restrict which proposals a user can approve. This enables fine-grained control over the approval workflow.
Filter Syntax
Filters use a simple expression syntax to evaluate proposal properties:
// Basic equality
filter: `proposal.wallet_id == '${walletId}'`
// IN operator for multiple values
filter: `proposal.resource IN ['/users', '/wallets', '/policies']`
// Property access
filter: `proposal.details.amount < 10000`Filter Properties
| Property | Description |
|---|---|
proposal.resource | The resource being modified |
proposal.action | The action being taken |
proposal.wallet_id | The wallet ID (for wallet-scoped proposals) |
proposal.details.* | Access to proposal detail fields |
proposal.creator_id | The user who created the proposal |
Example: Workspace Owner Approval Filter
Workspace owners can only approve proposals affecting workspace resources:
{
resource: '/proposals',
action: 'approve',
filter: `proposal.resource IN [
'/users',
'/signers',
'/roles',
'/policies',
'/wallets',
'/groups',
'/recipients',
'/recipient-groups',
'/assets'
]`,
}Example: Wallet-Scoped Approval Filter
Wallet maintainers can only approve proposals for their assigned wallets:
{
resource: '/proposals',
action: 'approve',
filter: `proposal.wallet_id == '${walletId}'`,
}Example: Transaction Amount Filter
Restrict approval based on transaction amount:
{
resource: '/proposals',
action: 'approve',
filter: `proposal.details.amount <= 100000 && proposal.wallet_id == '${walletId}'`,
}