Conversation
… roles Customers can now turn the Employee Compliance obligation on/off for built-in roles (owner, admin, etc.) directly from the system role detail page. The toggle was previously locked, so an organization had no way to disable the compliance tasks owners are required to complete by default — or to opt admins into them — without creating a custom role. Storage reuses the existing `organization_role.obligations` JSON column: an upserted row keyed by the built-in role name acts as a per-org override and wins over `BUILT_IN_ROLE_OBLIGATIONS` in every read path (compliance member filter, portal access, frontend permissions hook, policy acknowledgment digest). Permissions stay sourced from the hardcoded defaults — only the obligation is overridable. Override rows are filtered out of `listRoles`'s custom-roles list and surfaced as effective obligations on the built-in entries instead. New API endpoints: - GET /v1/roles/built-in/:name/obligations - PATCH /v1/roles/built-in/:name/obligations Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The customer request was specifically about Admin and Owner — keep the toggle locked for auditor, employee, and contractor so we don't expand the surface beyond what was asked. Enforced both client-side (`obligationsEditable` only flips on for owner/admin in the system role page) and server-side (`updateBuiltInObligations` rejects the rest with a 400). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reverts the change to the inlined BUILT_IN_ROLE_OBLIGATIONS in the digest
helper — the stale `admin: { compliance: true }` was pre-existing and not
in scope for this PR. The override merge logic stays so the owner/admin
toggle still flows through to the digest when an override row exists.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ackage
The inlined snapshot still said `admin: { compliance: true }` even though
the auth package itself was changed to `admin: {}` in 9316c6d — so the
toggle on the Admin role page had no effect on digest emails. Sync them so
turning the toggle off actually stops admin reminders.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Addresses two issues from review: - DTO now uses a nested class with @isboolean on `compliance`, so non-boolean values are rejected at validation time instead of being stored in the JSON column. - System role detail resyncs `currentObligations` when `roleName` changes, so navigating between built-in role pages without a hard reload doesn't display stale toggle state from the previous role. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…allback Two review fixes: - The 20-custom-role limit now ignores rows that exist only as obligation overrides for built-in roles (name in BUILT_IN_ROLES), so toggling owner or admin doesn't shrink the customer's custom-role budget. - Override semantics tightened: a DB row whose obligations JSON has no `compliance` key falls back to the hardcoded built-in default instead of silently disabling it. Only an explicit true/false on the override now wins over the default. Applied in all 4 read paths (compliance member filter, portal access, digest helper, roles.service.getObligationsForRoles). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Centralize the override-resolution rule in `resolveEffectiveObligations`
so the UI (`getBuiltInObligations`, `listRoles`) and the enforcement
path (`getObligationsForRoles`) all apply the same fallback: a DB row
only wins when `compliance` is explicitly set, otherwise fall back to
the built-in default.
Previously a row stored as `{}` would make the UI show the toggle as
off while the enforcement layer kept treating the role as carrying the
built-in compliance obligation — a divergence cubic flagged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Track obligations in the resync effect so the toggle reflects updates when the parent re-fetches (e.g., after router.refresh or a parallel tab mutating the same role). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…bligations feat(rbac): allow toggling employee compliance on built-in roles
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.62.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Let orgs toggle the Employee Compliance obligation on built‑in roles (Owner, Admin) via per‑org overrides, with a simple toggle in the system role page and consistent enforcement across API, UI, and background jobs.
New Features
GET /v1/roles/built-in/:name/obligationsandPATCH /v1/roles/built-in/:name/obligationsto read/update built‑in role obligations; onlyownerandadminare editable.PermissionMatrixsupportsobligationsEditable.listRolessurfaces effective obligations on built‑in roles and hides override rows from custom roles.Bug Fixes
compliancein the DB override beats the built‑in default. Applied across the API resolver,use-permissions, compliance member filtering, portal access, and policy digest helpers.@trycompai/auth(no compliance by default).Written for commit 8c06afb. Summary will update on new commits. Review in cubic