Implement enterprise-grade role-based access control for Gamma integrations with hierarchical roles, multi-tenant isolation, and audit logging.
Create a role hierarchy (Viewer < Editor < Team Lead < Workspace Admin < Org Admin) with permission inheritance.
Build a service that resolves inherited permissions by walking the role hierarchy and caching the computed permission sets.
Wrap API routes with middleware that checks required permissions against the user's resolved role.
Implement resource-specific policies (e.g., owner can edit own, team lead can edit team presentations).
Add tenant middleware that verifies workspace membership before allowing any workspace-scoped operations.
Log all authorization decisions (granted and denied) with metrics for denied access alerts.
See detailed implementation for advanced patterns.
| Issue | Cause | Solution |
|---|---|---|
| Permission denied | Insufficient role | Verify role assignment in database |
| Orphaned memberships | User deleted | Clean up with cascading deletes |
| Privilege escalation | Missing inheritance check | Validate role hierarchy on assignment |
| Permission | Viewer | Editor | Team Lead | Workspace Admin | Org Admin |
|---|---|---|---|---|---|
| View presentations | Yes | Yes | Yes | Yes | Yes |
| Create presentations | No | Yes | Yes | Yes | Yes |
| Edit team presentations | No | No | Yes | Yes | Yes |
| Manage workspace | No | No | No | Yes | Yes |
| Manage billing | No | No | No | No | Yes |
