Skip to content

Permission Matrix

Complete reference of which permissions are required by each auth.* function. Use this to understand what permissions your users, groups, or API keys need in order to call a given function.

All permissions listed here are checked via auth.has_permission (or auth.has_permissions) with full tenant isolation — the _tenant_id parameter determines which tenant's permission assignments are evaluated.

System user and tenant owners

User ID 1 (system user) and tenant owners bypass all permission checks automatically. They can call any function regardless of assigned permissions.

Cross-tenant data access

Search and get functions that return tenant-scoped data support cross-tenant queries via the _target_tenant_id parameter. When called from the admin tenant (_tenant_id = 1), these functions check the read_all_* permission variant. When called from any other tenant, the regular permission is checked and only own-tenant data is returned. See Multi-Tenant Data Access for details.

How to Read This Matrix

  • Permission required — the _perm_code value passed to has_permission. Your user must hold this permission (directly or via a group/permission set) in the target tenant.
  • Conditional — the permission is only checked when the caller is acting on behalf of another user (not themselves). Self-service operations skip the check.
  • Delegates — the function calls another function that performs the actual permission check.
  • Cross-tenant — the function supports _target_tenant_id for admin-console cross-tenant queries. When called from _tenant_id = 1, checks the read_all_* variant; otherwise checks the regular permission and filters to own tenant.
  • None — intentionally unchecked; see Unchecked Functions for rationale.

User Management

Source: 020_functions_auth_user.sql

Function Permission Required Notes
auth.register_user users.register_user
auth.enable_user users.enable_user
auth.disable_user users.disable_user
auth.lock_user users.lock_user
auth.unlock_user users.unlock_user
auth.verify_user_identity users.verify_user_identity
auth.enable_user_identity users.enable_user_identity
auth.disable_user_identity users.disable_user_identity
auth.create_service_user_info users.create_service_user
auth.update_user_password users.change_password Conditional — only when changing another user's password
auth.delete_user_info users.delete_user_info
auth.assign_user_default_groups users.add_to_default_groups
auth.get_user_identity users.get_user_identity
auth.get_user_identity_by_email users.get_user_identity
auth.get_user_by_email_for_authentication authentication.get_data
auth.get_user_data users.get_data Conditional — skipped when querying own data
auth.update_user_preferences users.update_user_data Conditional — skipped when updating own preferences
auth.get_user_preferences users.get_data Conditional — skipped when querying own preferences
auth.search_users users.read_users / users.read_all_users Cross-tenant
auth.create_blacklist_user users.manage_blacklist Prevents blacklisting system users
auth.delete_blacklist_user users.manage_blacklist
auth.search_blacklist users.search_blacklist Blacklist is app-wide (no tenant scoping)
auth.get_user_by_id None
auth.ensure_user_info None Provider login flow
auth.ensure_user_from_provider None Provider login flow
auth.update_user_data None
auth.get_user_by_provider_oid None Provider login flow
auth.is_blacklisted None Read-only check

Group Management

Source: 021_functions_auth_group.sql

Function Permission Required Notes
auth.create_user_group groups.create_group
auth.update_user_group groups.update_group
auth.enable_user_group groups.update_group
auth.disable_user_group groups.update_group
auth.lock_user_group groups.lock_group
auth.unlock_user_group groups.update_group
auth.delete_user_group groups.delete_group
auth.set_user_group_as_hybrid groups.update_group
auth.set_user_group_as_external groups.update_group
auth.set_user_group_as_internal groups.update_group
auth.get_user_group_by_id groups.get_group
auth.get_user_group_members groups.get_members
auth.create_user_group_member groups.update_group
auth.delete_user_group_member groups.update_group
auth.search_user_groups groups.get_group / groups.get_all_groups Cross-tenant
auth.get_user_group_mappings groups.get_mapping / groups.get_all_mappings Cross-tenant
auth.search_user_group_mappings groups.get_mapping / groups.get_all_mappings Cross-tenant; search by provider, mapped_object_id, role
auth.create_user_group_mapping groups.create_mapping
auth.delete_user_group_mapping groups.delete_mapping
auth.create_external_user_group groups.create_mapping
auth.get_user_assigned_groups users.read_user_group_memberships / users.read_all_user_group_memberships Cross-tenant; conditional (self-query skips check)
auth.get_user_groups_to_sync groups.get_groups
auth.ensure_user_groups groups.create_group Also checks groups.delete_group when removing groups
auth.ensure_user_group_mappings groups.create_mapping Also checks groups.delete_mapping when removing mappings
auth.is_group_member None Read-only utility
auth.can_manage_user_group None Role-checking utility
auth.process_external_group_member_sync None Internal sync
auth.process_external_group_member_sync_by_mapping None Internal sync

Permissions & Authorization

Source: 022_functions_auth_permission.sql

Function Permission Required Notes
auth.create_permission permissions.add_permission
auth.set_permission_as_assignable permissions.update_permission
auth.assign_permission permissions.assign_permission
auth.unassign_permission permissions.unassign_permission
auth.get_all_permissions permissions.get_perm_sets
auth.get_perm_sets permissions.get_perm_sets / permissions.get_all_perm_sets Cross-tenant
auth.create_perm_set permissions.create_permission_set
auth.update_perm_set permissions.update_permission_set
auth.create_perm_set_permissions permissions.update_permission_set
auth.delete_perm_set_permissions permissions.update_permission_set
auth.get_user_permissions users.get_permissions / users.get_all_permissions Cross-tenant
auth.get_user_assigned_permissions users.get_permissions
auth.get_effective_group_permissions groups.get_permissions
auth.get_assigned_group_permissions groups.get_permissions
auth.ensure_groups_and_permissions authentication.ensure_permissions
auth.get_users_groups_and_permissions authentication.get_users_groups_and_permissions
auth.search_permissions permissions.read_permissions
auth.search_perm_sets permissions.read_perm_sets / permissions.read_all_perm_sets Cross-tenant
auth.ensure_permissions permissions.add_permission Also checks permissions.delete_permission when removing
auth.ensure_perm_sets permissions.create_permission_set Also checks permissions.delete_permission_set when removing
auth.has_permission None Core check function
auth.has_permissions None Core check function
auth.throw_no_access None Utility
auth.seed_permission_data None Bootstrap function

Tenant Management

Source: 023_functions_auth_tenant.sql

Function Permission Required Notes
auth.create_tenant tenants.create_tenant
auth.update_tenant tenants.update_tenant
auth.delete_tenant tenants.delete_tenant
auth.delete_tenant_by_uuid tenants.delete_tenant
auth.get_tenants tenants.get_tenants / tenants.get_all_tenants Cross-tenant
auth.get_tenant_users tenants.get_users / tenants.get_all_users Cross-tenant
auth.get_tenant_groups tenants.get_groups / tenants.get_all_groups Cross-tenant
auth.get_tenant_members tenants.get_tenants / tenants.get_all_tenants Cross-tenant
auth.search_tenants tenants.read_tenants / tenants.read_all_tenants Cross-tenant
auth.get_user_available_tenants users.get_available_tenants Conditional — skipped for own data
auth.create_user_tenant_preferences users.create_user_tenant_preferences Conditional
auth.update_user_tenant_preferences users.update_user_tenant_preferences Conditional
auth.get_user_last_selected_tenant users.get_data Conditional
auth.update_user_last_selected_tenant users.update_last_selected_tenant Conditional
auth.get_tenant_by_id None
auth.get_all_tenants None

Identity Providers

Source: 024_functions_auth_provider.sql

Function Permission Required Notes
auth.create_provider providers.create_provider
auth.update_provider providers.update_provider
auth.delete_provider providers.delete_provider
auth.enable_provider providers.update_provider
auth.disable_provider providers.update_provider
auth.get_providers providers
auth.get_provider_users manage_provider.get_users
auth.ensure_provider Delegates Calls auth.create_provider internally
auth.validate_provider_is_active None Validation helper
auth.validate_provider_allows_group_mapping None Validation helper
auth.validate_provider_allows_group_sync None Validation helper

Tokens

Source: 025_functions_auth_token.sql

Function Permission Required Notes
auth.create_token tokens.create_token
auth.set_token_as_used tokens.set_as_used
auth.set_token_as_failed tokens.set_as_used
auth.validate_token tokens.validate_token
auth.set_token_as_used_by_token Delegates Calls auth.set_token_as_used
auth.set_token_as_failed_by_token Delegates Calls auth.set_token_as_failed

API Keys

Source: 026_functions_auth_apikey.sql

Function Permission Required Notes
auth.create_api_key api_keys.create_api_key
auth.update_api_key api_keys.update_api_key
auth.delete_api_key api_keys.delete_api_key
auth.update_api_key_secret api_keys.update_api_secret
auth.validate_api_key api_keys.validate_api_key
auth.assign_api_key_permissions api_keys.update_permissions
auth.unassign_api_key_permissions api_keys.update_permissions
auth.search_api_keys api_keys.search / api_keys.search_all Cross-tenant
auth.create_outbound_api_key api_keys.create_api_key
auth.update_outbound_api_key api_keys.update_api_key
auth.update_outbound_api_key_secret api_keys.update_api_secret
auth.delete_outbound_api_key api_keys.delete_api_key
auth.search_outbound_api_keys api_keys.search / api_keys.search_all Cross-tenant
auth.get_outbound_api_key api_keys.search / api_keys.search_all Cross-tenant
auth.get_outbound_api_key_by_id api_keys.search / api_keys.search_all Cross-tenant
auth.get_outbound_api_key_secret api_keys.read_outbound_secret / api_keys.search_all Cross-tenant
auth.get_outbound_api_key_secret_by_id api_keys.read_outbound_secret / api_keys.search_all Cross-tenant
auth.get_api_key_permissions None
auth.generate_api_key_username None Utility
auth.generate_api_key None Utility
auth.generate_api_secret None Utility
auth.generate_api_secret_hash None Utility

Ownership

Source: 027_functions_auth_owner.sql

Function Permission Required Notes
auth.create_owner None Uses verify_owner_or_permission pattern
auth.delete_owner None Uses verify_owner_or_permission pattern
auth.has_owner None Read-only query
auth.is_owner None Read-only query

Owner functions

Ownership functions use a different authorization pattern — verify_owner_or_permission — which checks whether the caller is the owner of the entity OR holds a specific permission. This is more flexible than a simple permission check.

Audit & Events

Source: 028_functions_auth_event.sql

Function Permission Required Notes
auth.search_user_events authentication.read_user_events / authentication.read_all_user_events Cross-tenant
auth.get_user_audit_trail authentication.read_user_events / authentication.read_all_user_events Cross-tenant
auth.get_security_events authentication.read_user_events / authentication.read_all_user_events Cross-tenant
auth.create_user_event None Audit logging must always succeed

Resource Access (ACL)

Source: 035_functions_resource_access.sql

Function Permission Required Notes
auth.assign_resource_access resources.grant_access
auth.deny_resource_access resources.deny_access
auth.revoke_resource_access resources.revoke_access
auth.revoke_all_resource_access resources.revoke_access
auth.get_resource_grants resources.get_grants
auth.get_user_accessible_resources resources.get_grants Skipped when querying own resources
auth.create_resource_type resources.create_resource_type
auth.update_resource_type resources.create_resource_type
auth.ensure_resource_types resources.create_resource_type
auth.ensure_access_flags resources.create_resource_type
auth.ensure_resource_type_flags resources.create_resource_type
auth.has_resource_access None Core ACL check function
auth.filter_accessible_resources None Core ACL check function
auth.get_resource_access_flags None Read-only query
auth.get_resource_access_matrix None Read-only query
auth.get_resource_types None Public metadata
auth.get_access_flags None Public metadata

Auto-Lockout

Source: 037_functions_auto_lockout.sql

Function Permission Required Notes
auth.record_login_failure authentication.get_data
auth.verify_user_by_email authentication.get_data

Multi-Factor Authentication

Source: 038_functions_mfa.sql, 040_functions_mfa_policy.sql

Function Permission Required Notes
auth.enroll_mfa mfa.enroll_mfa
auth.confirm_mfa_enrollment mfa.confirm_mfa_enrollment
auth.disable_mfa mfa.disable_mfa
auth.get_mfa_status mfa.get_mfa_status
auth.create_mfa_challenge mfa.create_mfa_challenge
auth.verify_mfa_challenge mfa.verify_mfa_challenge
auth.reset_mfa mfa.reset_mfa
auth.create_mfa_policy mfa.mfa_policy.create_mfa_policy
auth.delete_mfa_policy mfa.mfa_policy.delete_mfa_policy
auth.get_mfa_policies mfa.mfa_policy.get_mfa_policies
auth.is_mfa_required mfa.get_mfa_status

Invitations

Source: 042_functions_invitation.sql

Function Permission Required Notes
auth.create_invitation invitations.create_invitation
auth.accept_invitation invitations.accept_invitation
auth.reject_invitation invitations.reject_invitation
auth.revoke_invitation invitations.revoke_invitation
auth.get_invitations invitations.get_invitations / invitations.get_all_invitations Cross-tenant
auth.get_invitation_actions invitations.get_invitations
auth.create_invitation_from_template invitations.create_invitation
auth.create_invitation_template invitations.manage_templates
auth.update_invitation_template invitations.manage_templates
auth.delete_invitation_template invitations.manage_templates

Unchecked Functions

Functions marked None above are intentionally unchecked. They fall into these categories:

Core check functions

has_permission, has_permissions, has_resource_access, filter_accessible_resources — checking permission to check permissions would be circular.

Provider login flow

ensure_user_info, ensure_user_from_provider, get_user_by_provider_oid — called during authentication before permissions are established.

Audit and logging

create_user_event — audit logging must always succeed to maintain the security trail.

Read-only utilities

is_group_member, can_manage_user_group, has_owner, is_owner, is_blacklisted, get_resource_access_flags, get_resource_access_matrix, get_resource_types, get_access_flags — low-level queries or public metadata.

Pure utilities

throw_no_access, generate_api_key*, seed_permission_data — no data access or bootstrap-only functions.

Internal sync operations

process_external_group_member_sync, process_external_group_member_sync_by_mapping — called by the system during provider-based group synchronization.

Permission Tree Summary

All permission codes referenced above, organized hierarchically:

authentication
├── get_data
├── ensure_permissions
├── get_users_groups_and_permissions
├── read_user_events
└── read_all_user_events

users
├── register_user
├── enable_user
├── disable_user
├── lock_user
├── unlock_user
├── verify_user_identity
├── enable_user_identity
├── disable_user_identity
├── create_service_user
├── change_password
├── delete_user_info
├── add_to_default_groups
├── get_user_identity
├── get_data
├── update_user_data
├── read_users
├── read_all_users
├── get_permissions
├── get_available_tenants
├── create_user_tenant_preferences
├── update_user_tenant_preferences
├── update_last_selected_tenant
├── read_user_group_memberships
├── read_all_user_group_memberships
├── manage_blacklist
└── search_blacklist

groups
├── create_group
├── update_group
├── delete_group
├── lock_group
├── get_group
├── get_all_groups
├── get_groups
├── get_members
├── get_permissions
├── create_mapping
├── delete_mapping
├── get_mapping
└── get_all_mappings

permissions
├── add_permission
├── delete_permission
├── update_permission
├── assign_permission
├── unassign_permission
├── get_perm_sets
├── get_all_perm_sets
├── create_permission_set
├── update_permission_set
├── delete_permission_set
├── read_permissions
├── read_perm_sets
└── read_all_perm_sets

tenants
├── create_tenant
├── update_tenant
├── delete_tenant
├── get_tenants
├── get_all_tenants
├── get_users
├── get_all_users
├── get_groups
├── get_all_groups
├── read_tenants
└── read_all_tenants

providers
├── create_provider
├── update_provider
└── delete_provider

manage_provider
└── get_users

tokens
├── create_token
├── set_as_used
└── validate_token

api_keys
├── create_api_key
├── update_api_key
├── delete_api_key
├── update_api_secret
├── validate_api_key
├── update_permissions
├── search
├── search_all
└── read_outbound_secret

resources
├── grant_access
├── deny_access
├── revoke_access
├── get_grants
└── create_resource_type

mfa
├── enroll_mfa
├── confirm_mfa_enrollment
├── disable_mfa
├── get_mfa_status
├── create_mfa_challenge
├── verify_mfa_challenge
├── reset_mfa
└── mfa_policy
    ├── create_mfa_policy
    ├── delete_mfa_policy
    └── get_mfa_policies

invitations
├── create_invitation
├── accept_invitation
├── reject_invitation
├── revoke_invitation
├── get_invitations
├── get_all_invitations
└── manage_templates

This tree is for reference only

The actual permission tree in your database may differ — permissions are created via auth.create_permission or auth.ensure_permissions and can be customized per deployment. This tree shows the permissions referenced by the built-in auth.* functions.