Data dictionary — Roles and permissions

Roles bundle permissions—atomic capabilities such as viewing donor financial details or managing invitations—into job-shaped profiles admins can assign without micromanaging every toggle. This entry documents core tables or objects conceptually: roles, permission keys, assignments, and override records that modify the effective permission set for a user.

Security reviewers use it to compare product semantics to internal policy language.

Overview

Roles are tenant-scoped templates; assignments link a user to a role for a period of time. Overrides express deltas that add or remove capabilities relative to the role baseline, and should be rare enough to audit individually.

Permission keys are stable strings suitable for infrastructure-as-code and automated policy tests. Effective permission resolution order—baseline role, then overrides, then deny-wins rules where applicable—will be specified precisely to prevent ambiguous interpretations during integrations.