Use this page when assigning access through roles and groups. The chain should stay understandable before conditional or relationship rules are layered on later.
Roles grant permissions. Groups organize users and roles.
The approved chain is:
`user -> group -> role -> permission`
Not:
`user -> group -> permission`
Roles may hold permission assignments and may be assigned directly to users.
Role inheritance is not part of v1 unless a later governance page explicitly approves it.
Groups may contain users and roles. Groups must not hold direct permissions or become a hidden authority layer.
Direct user allow or deny rules are exception tools. They must be explicit, audited, and rare.
Deny wins over allow.
Super Admin is not a role. It is Core-owned root authority outside the RBAC model.
Permissions UI may expose visibility into this state, but it does not own root authority truth.
See Permissions/RBAC and ReBAC Scope and Permission Manifest Declarations.
Updated: 2026-05-03 17:09:55