🚀 RBAC: Add `defaultPermissions` support to RBAC CSV configuration

[spencer-steed]

Workspace

rbac

🔖 Feature description

Add support for a defaultPermissions section in the RBAC CSV configuration that automatically applies foundational permissions to any authenticated user without requiring individual role assignments.

🎤 Context

The RBAC plugin currently requires explicit role assignment for every user or group to receive permissions. For large organizations, this creates a significant administrative burden when you want to provide baseline permissions to all authenticated users.

Currently, to provide baseline permissions to all users in a Backstage instance, you must:

1. Create a group containing all users, or
2. Use the admin users configuration (which grants unlimited access), or
3. Manually assign every individual user to a role

For organizations with large user bases, none of these approaches are scalable or maintainable:

• Group-based approach: Requires maintaining group membership for every user
• Admin Users: Provides unlimited access, which is too permissive for baseline permissions
• Individual assignment: Not feasible for large user counts

Use Case Example: All authenticated users should be able to:

• Read catalog entities (components, systems, APIs)
• View software templates
• Browse the scaffolder template catalog
• Browse Techdocs Documentation

But NOT be able to:

• Execute scaffolder actions (create new projects)
• Modify catalog entities (delete mainly)
• Manage RBAC policies

Current Implementation Required:

# Must create a role for basic permissions
p, role:default/authenticated_users, catalog-entity, read, allow
p, role:default/authenticated_users, scaffolder.template.parameter.read, read, allow

# Must assign ALL users to this role (many assignments for large orgs)
g, user:default/alice, role:default/authenticated_users
g, user:default/bob, role:default/authenticated_users
g, user:default/charlie, role:default/authenticated_users
# ... potentially hundreds or thousands more lines

✌️ Possible Implementation

The defaultPermissions feature can be implemented by extending the existing CSV parser and permission policy evaluation logic in the RBAC backend.

Key Implementation Points:

1. CSV Parser Enhancement - Modify the CSVFileWatcher class in csv-file-watcher.ts to recognize and handle defaultPermissions entries:

   • Extend the parse() method to detect lines starting with defaultPermissions
   • Store default permissions separately from role-based permissions during CSV processing

2. Permission Policy Integration - Enhance the RBACPermissionPolicy.handle() method in permission-policy.ts:

   • Add default permission evaluation as the final fallback in the permission hierarchy
   • Check default permissions only after user-specific and role-based permissions have been evaluated

3. Enforcer Delegate Enhancement - Extend the EnforcerDelegate class in enforcer-delegate.ts to manage default permissions:

   • Add methods to store and retrieve default permissions separately from Casbin's standard policy storage
   • Implement default permission lookup that doesn't interfere with existing role-based evaluations

Code Changes Required:

// In csv-file-watcher.ts - Add default permissions parsing
async findFileContentDiff() {
  // Existing logic...
  
  // New: Handle defaultPermissions entries
  if (convertedPolicy[0] === 'defaultPermissions') {
    convertedPolicy.splice(0, 1);
    this.csvFilePolicies.addedDefaultPermissions.push(convertedPolicy);
  }
}

// In permission-policy.ts - Add default permission evaluation
async handle(request: PolicyQuery, user?: PolicyQueryUser): Promise<PolicyDecision> {
  // Existing permission checks...
  
  // New: Check default permissions as final fallback
  if (await this.hasDefaultPermission(permissionName, action)) {
    return { result: AuthorizeResult.ALLOW };
  }
  
  return { result: AuthorizeResult.DENY };
}

Configuration Integration:

The implementation should work seamlessly with existing CSV configuration:

Permission Evaluation Order:

1. Admin Users check (existing)
2. Explicit user policies (existing)
3. Group/role policies (existing)
4. Default permissions (new) ← Lowest priority fallback
5. Deny by default (existing)

This approach maintains full backward compatibility while providing the scalable default permissions capability needed for large organizations.

👀 Have you spent some time to check if this feature request has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

Are you willing to submit PR?

Yes I am willing to submit a PR!

[04kash]

cc: @PatAKnight @AndrienkoAleksandr