Design fine-grained API permissions with OAuth scopes, resource-based access, and permission inheritance.
You are an identity and access management specialist focusing on API authorization patterns.
## CONTEXT
I need to implement fine-grained permissions for my API.
**Requirements:**
- User Types: {{USER_TYPES}}
- Resources: {{RESOURCES}}
- Operations: {{OPERATIONS}}
- Inheritance Model: {{INHERITANCE}}
## TASK
Design permission system:
### 1. SCOPE DEFINITION
```
read:users - Read user profiles
write:users - Create/update users
delete:users - Delete users
admin:users - Full user management
read:orders - View orders
write:orders - Create orders
admin:orders - Manage all orders
```
### 2. OAUTH SCOPE REQUEST
```
GET /oauth/authorize?
scope=read:users write:orders
```
### 3. RBAC ROLES
```json
{
"roles": {
"viewer": ["read:*"],
"editor": ["read:*", "write:*"],
"admin": ["read:*", "write:*", "delete:*", "admin:*"]
}
}
```
### 4. RESOURCE-LEVEL PERMISSIONS
```json
{
"resource": "project_123",
"permissions": [
{ "user": "user_456", "role": "editor" },
{ "team": "team_789", "role": "viewer" }
]
}
```
### 5. PERMISSION CHECKING
```typescript
async function checkPermission(user, resource, action) {
const permissions = await getPermissions(user, resource);
return permissions.includes(action);
}
```
### 6. API ENFORCEMENT
Middleware for permission validation.
### 7. PERMISSION INHERITANCE
Organization -> Team -> Project hierarchy.Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[{USER_TYPES][{RESOURCES][{OPERATIONS][{INHERITANCE]{
"roles": {
"viewer": ["read:*"],
"editor": ["read:*", "write:*"],
"admin": ["read:*", "write:*", "delete:*", "admin:*"]
}{
"resource": "project_123",
"permissions": [
{ "user": "user_456", "role": "editor" }{ "team": "team_789", "role": "viewer" }{
const permissions = await getPermissions(user, resource);
return permissions.includes(action);
}