Authorization
Organization-Level Roles
| Level | Description |
|---|---|
| Organization Owner | Full org control, billing, ownership transfer |
| Organization Global Admin | Manage all products, members, settings |
| Organization Admin | Manage members, settings |
| Organization Member | Access resources, view data |
Org OWNER, GLOBAL_ADMIN, and ADMIN automatically bypass per-product role checks.
Per-Product Roles
Each user can be assigned a product-specific role via core.org_product_roles. Roles follow a hierarchy -- higher roles inherit all permissions of lower roles.
Role Hierarchies
| Product | Roles (low to high) |
|---|---|
| Alerting | SUBSCRIBER < RESPONDER < MANAGER < ADMIN |
| Statuspages | VIEWER < MEMBER < ADMIN |
| Synthetics | VIEWER < MEMBER < ADMIN |
| Insights | VIEWER < MEMBER < ADMIN |
How It Works
OrgProductAccessGuardcheckscore.org_product_rolesfor the requesting user@ProductAccess('alerting', 'manager')requires the user to have MANAGER or higher for alerting- If the user is an org OWNER, GLOBAL_ADMIN, or ADMIN, the product role check is bypassed entirely
- Users without any product role are denied access to product-scoped endpoints
Guards
OrgAccessGuard
Validates that the user is a member of the organization specified by :orgId in the route. Attaches request.organization for downstream use.
OrgRolesGuard
Validates the user's organization-level role against the required roles:
@OrgRoles('admin', 'owner')
@UseGuards(JwtAuthGuard, OrgRolesGuard)
@Controller('organizations/:orgId/settings')
export class OrgSettingsController { ... }
OrgProductAccessGuard
Validates per-product role with hierarchy checks:
@ProductAccess('alerting', 'manager')
@UseGuards(JwtAuthGuard, OrgAccessGuard, OrgProductAccessGuard)
@Controller('organizations/:orgId/alerts')
export class AlertsController { ... }
PlatformAdminGuard
Restricts to users in the Cognito PlatformAdmins group:
@PlatformAdmin()
@UseGuards(JwtAuthGuard, PlatformAdminGuard)
export class AdminController { ... }
ScimAuthGuard
Validates SCIM 2.0 bearer tokens for provisioning endpoints:
- Incoming token is SHA256 hashed and looked up in
core.scim_tokens - Checks
revokedAtto ensure the token hasn't been revoked - Each token is scoped to a specific organization
- Used only on SCIM 2.0 endpoints (
/scim/v2/*)
Product Access (Subscription Gating)
Beyond role checks, ProductAccessService verifies that the organization has an active or trial subscription for the product:
OrgProductSubscriptionentity incore.org_product_subscriptionstracks per-product plans- Frontend calls
checkProductAccess()which returns whether the org has the product and whether the user has a role - Users without a product subscription see an upgrade page; users without a role see a "contact admin" page
Decorators
| Decorator | Purpose |
|---|---|
@Public() | Skip JWT validation entirely |
@OrgRoles('admin', 'owner') | Require specific org roles |
@ProductAccess('alerting', 'manager') | Require product-specific role |
@PlatformAdmin() | Require Cognito PlatformAdmins group |
@CurrentUser() or @User() | Get authenticated user from request |
@CurrentOrg() | Get validated organization (set by OrgAccessGuard) |