ld-permissions

Permissions & Authorization Guide

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "ld-permissions" with this command: npx skills add lightdash/lightdash/lightdash-lightdash-ld-permissions

Permissions & Authorization Guide

This skill helps you work with Lightdash's CASL-based permissions system, including scopes, custom roles, and authorization enforcement.

What do you need help with?

  • Add a new scope/permission - Step-by-step guide to add a new permission

  • Debug a permission issue - Troubleshoot why a user can't access something

  • Understand the permission flow - Learn how permissions work end-to-end

  • Work with custom roles - Create or modify custom roles with specific scopes

Quick Reference

Key Files

Purpose Location

Scope definitions packages/common/src/authorization/scopes.ts

CASL types packages/common/src/authorization/types.ts

Ability builder packages/common/src/authorization/index.ts

System role abilities packages/common/src/authorization/projectMemberAbility.ts

Role-to-scope mapping packages/common/src/authorization/roleToScopeMapping.ts

Scope-to-CASL conversion packages/common/src/authorization/scopeAbilityBuilder.ts

Common Patterns

Backend permission check:

import { subject } from '@casl/ability'; import { ForbiddenError } from '@lightdash/common';

if (user.ability.cannot('manage', subject('Dashboard', { projectUuid }))) { throw new ForbiddenError('You do not have permission'); }

Frontend permission check:

const { user } = useUser();

if (user?.ability.can('manage', 'Dashboard')) { return <EditButton />; }

or wrap in a CASL component:

import { Can } from '../../providers/Ability';

<Can I="manage" a="Dashboard"> <EditButton /> </Can>

Full Documentation

For comprehensive documentation, read: .context/PERMISSIONS.md

This includes:

  • Architecture diagram showing the complete permission flow

  • All scope groups and modifiers (@self, @public, @space, etc.)

  • Database schema for custom roles

  • Step-by-step guide to add new scopes

  • Troubleshooting guide

Adding a New Scope (Quick Guide)

  • Define scope in packages/common/src/authorization/scopes.ts :

{ name: 'manage:NewFeature', description: 'Description for custom role UI', isEnterprise: false, group: ScopeGroup.PROJECT_MANAGEMENT, getConditions: (context) => [addUuidCondition(context)], }

Add subject (if new) in packages/common/src/authorization/types.ts

Add to system role in packages/common/src/authorization/roleToScopeMapping.ts

Update ability builder in packages/common/src/authorization/projectMemberAbility.ts

Enforce in service with user.ability.cannot() check

Add frontend check with user?.ability.can()

Debugging Permission Issues

When a user gets "ForbiddenError":

  • Check scope exists - Is the scope defined in scopes.ts ?

  • Check role assignment - Does the user's role include this scope?

  • Check conditions - Do the CASL conditions match the resource?

  • Check enterprise flag - Is isEnterprise: true but deployment isn't enterprise?

  • Check subject name - Case-sensitive match in CaslSubjectNames ?

Use grep to find where the permission is checked:

grep -r "ability.cannot.'manage'.'YourSubject'" packages/backend/src/services/

Please describe what you're trying to accomplish, or ask me to explain any aspect of the permissions system.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

frontend-style-guide

No summary provided by upstream source.

Repository SourceNeeds Review
-50
lightdash
General

investigate-pylon

No summary provided by upstream source.

Repository SourceNeeds Review
-18
lightdash
General

debug-local

No summary provided by upstream source.

Repository SourceNeeds Review
-16
lightdash