Skip to content

domain.enums.user_role

src.domain.enums.user_role

User roles for RBAC authorization.

This enum defines the role hierarchy for the authorization system. Roles are used with Casbin RBAC to determine user permissions.

Role Hierarchy

admin > user > readonly

  • admin: Full system access (inherits user + management capabilities)
  • user: Standard user (inherits readonly + write capabilities)
  • readonly: Read-only access to own resources
Reference
  • docs/architecture/authorization-architecture.md
Usage

from src.domain.enums import UserRole

Check role

if user.role == UserRole.ADMIN: # Admin-only logic

Assign role via authorization service

await authz.assign_role(user_id, UserRole.USER)

Classes

UserRole

Bases: str, Enum

User roles for RBAC authorization.

Defines the role hierarchy used by Casbin for permission checks. Each role inherits permissions from roles below it in hierarchy.

Hierarchy

ADMIN inherits from USER inherits from READONLY

String Enum

Inherits from str for easy serialization and Casbin compatibility. Values are lowercase to match Casbin policy format.

Permissions by Role

READONLY: - accounts:read - transactions:read - providers:read - sessions:read

USER (+ readonly permissions): - accounts:write - transactions:write - providers:write - sessions:write

ADMIN (+ user permissions): - users:read, users:write - admin:read, admin:write - security:read, security:write

Source code in src/domain/enums/user_role.py 
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
class UserRole(str, Enum):
    """User roles for RBAC authorization.

    Defines the role hierarchy used by Casbin for permission checks.
    Each role inherits permissions from roles below it in hierarchy.

    Hierarchy:
        ADMIN inherits from USER inherits from READONLY

    String Enum:
        Inherits from str for easy serialization and Casbin compatibility.
        Values are lowercase to match Casbin policy format.

    Permissions by Role:
        READONLY:
            - accounts:read
            - transactions:read
            - providers:read
            - sessions:read

        USER (+ readonly permissions):
            - accounts:write
            - transactions:write
            - providers:write
            - sessions:write

        ADMIN (+ user permissions):
            - users:read, users:write
            - admin:read, admin:write
            - security:read, security:write
    """

    ADMIN = "admin"
    """Administrator role with full system access.

    Capabilities:
        - All USER permissions
        - User management (create, deactivate, role assignment)
        - System configuration
        - Security settings (token rotation, etc.)
    """

    USER = "user"
    """Standard user role with read/write access to own resources.

    Capabilities:
        - All READONLY permissions
        - Create/modify own accounts
        - Create/modify own provider connections
        - Manage own sessions
    """

    READONLY = "readonly"
    """Read-only role with view access to own resources.

    Capabilities:
        - View own accounts
        - View own transactions
        - View own provider connections
        - View own sessions

    Use Cases:
        - Shared access (family member viewing)
        - Audit/compliance viewing
        - Temporary restricted access
    """

    @classmethod
    def values(cls) -> list[str]:
        """Get all role values as strings.

        Returns:
            list[str]: List of role values ['admin', 'user', 'readonly'].
        """
        return [role.value for role in cls]

    @classmethod
    def is_valid(cls, value: str) -> bool:
        """Check if a string is a valid role.

        Args:
            value: String to check.

        Returns:
            bool: True if value is a valid role.
        """
        return value in cls.values()
Attributes
ADMIN class-attribute instance-attribute 
ADMIN = 'admin'

Administrator role with full system access.

Capabilities
  • All USER permissions
  • User management (create, deactivate, role assignment)
  • System configuration
  • Security settings (token rotation, etc.)
USER class-attribute instance-attribute 
USER = 'user'

Standard user role with read/write access to own resources.

Capabilities
  • All READONLY permissions
  • Create/modify own accounts
  • Create/modify own provider connections
  • Manage own sessions
READONLY class-attribute instance-attribute 
READONLY = 'readonly'

Read-only role with view access to own resources.

Capabilities
  • View own accounts
  • View own transactions
  • View own provider connections
  • View own sessions
Use Cases
  • Shared access (family member viewing)
  • Audit/compliance viewing
  • Temporary restricted access
Functions
values classmethod 
values() -> list[str]

Get all role values as strings.

Returns:

Type Description
list[str]

list[str]: List of role values ['admin', 'user', 'readonly'].
Source code in src/domain/enums/user_role.py 
 97
 98
 99
100
101
102
103
104
@classmethod
def values(cls) -> list[str]:
    """Get all role values as strings.

    Returns:
        list[str]: List of role values ['admin', 'user', 'readonly'].
    """
    return [role.value for role in cls]
is_valid classmethod 
is_valid(value: str) -> bool

Check if a string is a valid role.

Parameters:

Name Type Description Default
value str

String to check.

 required

Returns:

Name Type Description
bool bool

True if value is a valid role.
Source code in src/domain/enums/user_role.py 
106
107
108
109
110
111
112
113
114
115
116
@classmethod
def is_valid(cls, value: str) -> bool:
    """Check if a string is a valid role.

    Args:
        value: String to check.

    Returns:
        bool: True if value is a valid role.
    """
    return value in cls.values()