feat: team roles ui pbac

[sean-brydon]

What does this PR do?

This PR adds the UI for sub teams to be able to create custom roles within an organization when PBAC is enabled. Also introduces the concept of "scope" in the permission registry.

Video demo: https://cap.link/63a1m4tm9xw0qff

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

Enable PBAC on an organization
Create roles on teams + orgs.

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[coderabbitai]

Walkthrough

This update introduces support for scoped permissions and roles within both organizational and team contexts. A new Scope enum is added to the permissions domain, and permission definitions are annotated with applicable scopes. A utility function enables filtering permissions by scope. The backend role repository is updated to return both team-specific and global system roles for a team. On the frontend, new and existing components for displaying and managing roles are updated to accept and propagate a scope parameter, ensuring only relevant permissions are shown. A new Next.js server page is added for team roles management, enforcing access control and rendering a scoped roles list. Navigation logic is updated to conditionally display roles management for sub-teams with PBAC-enabled parents. Cache revalidation logic is extended to cover dynamic team role pages and related cached data.

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/RoleSheet.tsx

Oops! Something went wrong! :(

ESLint: 8.57.1

ESLint couldn't find the plugin "eslint-plugin-playwright".

(The package "eslint-plugin-playwright" was not found when loaded as a Node module from the directory "".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

npm install eslint-plugin-playwright@latest --save-dev

The plugin "eslint-plugin-playwright" was referenced from the config file in ".eslintrc.js".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/DeleteRoleModal.tsx

Oops! Something went wrong! :(

ESLint: 8.57.1

ESLint couldn't find the plugin "eslint-plugin-playwright".

(The package "eslint-plugin-playwright" was not found when loaded as a Node module from the directory "".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

npm install eslint-plugin-playwright@latest --save-dev

The plugin "eslint-plugin-playwright" was referenced from the config file in ".eslintrc.js".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/actions.ts

Oops! Something went wrong! :(

ESLint: 8.57.1

ESLint couldn't find the plugin "eslint-plugin-playwright".

(The package "eslint-plugin-playwright" was not found when loaded as a Node module from the directory "".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

npm install eslint-plugin-playwright@latest --save-dev

The plugin "eslint-plugin-playwright" was referenced from the config file in ".eslintrc.js".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.

• 1 others

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bd599a0 and 5980f9c.

📒 Files selected for processing (4)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/DeleteRoleModal.tsx (1 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/RoleSheet.tsx (5 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/actions.ts (1 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/teams/[id]/roles/page.tsx (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/actions.ts
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/RoleSheet.tsx
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/teams/[id]/roles/page.tsx

🧰 Additional context used

🧬 Code Graph Analysis (1)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/DeleteRoleModal.tsx (1)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/actions.ts (1)

• revalidateTeamRoles (5-17)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Install dependencies / Yarn install & cache
• GitHub Check: Security Check

🔇 Additional comments (1)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/DeleteRoleModal.tsx (1)

31-31: LGTM! Correctly passes teamId for targeted cache invalidation.

The change properly aligns with the updated revalidateTeamRoles function signature that now requires a teamId parameter for targeted cache invalidation. This ensures that after role deletion, the cache is correctly revalidated for the affected team's roles, permissions, members, and features.

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[graphite-app]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (07/17/25)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add ready-for-e2e label" took an action on this PR • (07/18/25)

1 label was added to this PR based on Keith Williams's automation.

[delve-auditor]

✅ No security or compliance issues detected. Reviewed everything up to 5980f9c.

Security Overview

• 🔎 Scanned files: 8 changed file(s)

Detected Code Changes

Change Type	Relevant files
Refactor	► EventManager.ts     Simplify daily video room expiry check ► slots.ts     Optimize slot boundary logic ► organizations-event-types.e2e-spec.ts     Remove redundant test ► input.service.ts     Consolidate managed event type functions
Enhancement	► pbac/domain/types/permission-registry.ts     Add team/org scope filtering for permissions ► RoleRepository.ts     Include system roles in team role lookup
Bug Fix	► workflows/api/scheduleWhatsappReminders.ts     Clean up expired reminders ► workflows/api/scheduleSMSReminders.ts     Update reminder scheduling logic

Reply to this PR with @delve-auditor followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.

[coderabbitai]

Actionable comments posted: 7

🧹 Nitpick comments (2)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/teams/[id]/roles/page.tsx (2)

114-115: Address the fallback roles limitation

The comment indicates that the current approach doesn't account for fallback roles. This could lead to incorrect permission checks if users have permissions through fallback roles.

Would you like me to open an issue to track implementing fallback role support in permission checks?

---

132-132: Remove unnecessary empty comment

This empty comment line appears to be a leftover and can be removed.

-  // Use Team scope for team roles (this will automatically filter appropriate resources)
-

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a498641 and 6e00507.

📒 Files selected for processing (6)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx (3 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/RoleSheet.tsx (4 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/RolesList.tsx (4 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/teams/[id]/roles/page.tsx (1 hunks)
• packages/features/pbac/domain/types/permission-registry.ts (6 hunks)
• packages/features/pbac/infrastructure/repositories/RoleRepository.ts (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (2)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/RoleSheet.tsx (1)

packages/features/pbac/domain/types/permission-registry.ts (1)

• getPermissionsForScope (72-97)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx (2)

packages/features/flags/config.ts (1)

• TeamFeatures (29-29)

packages/features/flags/hooks/useIsFeatureEnabledForTeam.ts (2)

• TeamFeatures (5-5)
• useIsFeatureEnabledForTeam (7-20)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: Security Check

🔇 Additional comments (15)

packages/features/pbac/infrastructure/repositories/RoleRepository.ts (1)

23-28: LGTM! Query logic correctly expanded to include both team-specific and system roles.

The OR condition appropriately fetches both team-specific custom roles and system-wide default roles, which aligns with the PBAC model where teams should have access to both their custom roles and global system roles.

packages/features/pbac/domain/types/permission-registry.ts (4)

30-33: LGTM! Well-defined enum for permission scoping.

The Scope enum clearly defines the two permission contexts (Team and Organization) with descriptive string values.

---

40-40: LGTM! Well-designed interface extension with backward compatibility.

The optional scope property allows permissions to be scoped to multiple contexts while maintaining backward compatibility for existing permissions.

---

67-97: LGTM! Robust implementation of scope-based permission filtering.

The function correctly:

• Filters permissions based on the requested scope
• Maintains backward compatibility for permissions without explicit scope
• Only includes resources that have at least one matching action
• Properly handles the _resource metadata property

The logic is clear and well-documented.

---

110-110: LGTM! Appropriate scope annotations for security and functionality.

The scope annotations are logically applied:

• "All" permissions restricted to Organization scope enhances security
• Team-specific permissions (e.g., ReadTeamBookings) correctly scoped to Team
• Organization-specific permissions (e.g., ManageBilling) correctly scoped to Organization
• Selective application maintains backward compatibility for permissions without explicit scope requirements

Also applies to: 180-180, 228-228, 235-235, 242-242, 249-249, 256-256, 263-263, 270-270, 277-277, 295-295, 302-302

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/RolesList.tsx (2)

3-3: LGTM! Clean interface extension with proper typing.

The optional scope prop maintains backward compatibility while enabling scoped permission rendering.

Also applies to: 50-50

---

59-59: LGTM! Proper prop forwarding enables scoped permission rendering.

The scope parameter is correctly accepted and passed down to the RoleSheet component, enabling dynamic permission filtering based on context.

Also applies to: 113-113

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/RoleSheet.tsx (4)

10-14: LGTM! Import changes properly support scoped permission filtering.

The imports are correctly updated to use the new scoped permission system, replacing direct registry access with the filtering function.

---

58-58: LGTM! Props extension maintains backward compatibility with sensible defaults.

The optional scope prop with Scope.Organization default preserves existing behavior while enabling team-scoped permission filtering when needed.

Also applies to: 61-61

---

109-119: LGTM! Filtering logic correctly updated for scoped permissions.

The filteredResources memoization now uses getPermissionsForScope(scope) to dynamically filter permissions based on the current scope, with proper dependency tracking.

---

236-236: LGTM! Permission rendering updated to use scoped registry.

The simple permissions view now correctly uses getPermissionsForScope(scope) to display only permissions relevant to the current scope.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx (3)

296-323: LGTM! Well-implemented conditional navigation component.

The TeamRolesNavItem component correctly:

• Follows Rules of Hooks by calling the hook unconditionally
• Checks both sub-team status (team.parentId) and parent PBAC enablement
• Uses appropriate fallback value for parentId when checking feature flags
• Implements clean early return pattern for conditional rendering

---

325-325: LGTM! Clean prop threading enables feature flag checking.

The teamFeatures prop is properly passed down to enable the TeamRolesNavItem component to check parent team feature flags.

Also applies to: 622-622

---

434-435: LGTM! Well-integrated conditional navigation with clear documentation.

The TeamRolesNavItem is appropriately placed in the team navigation with a clear comment explaining its conditional nature.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/teams/[id]/roles/page.tsx (1)

62-71: LGTM!

The metadata generation follows Next.js best practices and correctly includes the team ID in the URL path.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
cal	⬜️ Ignored (Inspect)	Visit Preview		Jul 18, 2025 9:43am
cal-eu	⬜️ Ignored (Inspect)	Visit Preview		Jul 18, 2025 9:43am

[sean-brydon]

Link for roles tab if there is a parentId and the parent has pbac enabled

[sean-brydon]

Filter permissions by the scope of this role sheet (team,org)

[sean-brydon]

Bring back default roles as i missed this in a merge

[eunjae-lee]

newly created team role doesn't show up in the list

Screenshot.2025-07-17.at.14.46.11.mp4

[eunjae-lee]

nice!

[github-actions]

E2E results are ready!

• Workflow #68509.1 latest results