Add RBAC ADR

Signed-off-by: Neil Martinsen-Burrell <neil.martinsen-burrell@gsa.gov>
2025-08-01 23:42:17 +02:00 · 2023-03-17 13:47:25 -05:00 · 2023-03-17 13:47:25 -05:00 · 23eb9d448b
commit 23eb9d448b
parent 78500ef74c
1 changed files with 29 additions and 0 deletions
--- a/docs/architecture/decisions/0019-role-based-access-control.md
+++ b/docs/architecture/decisions/0019-role-based-access-control.md
@ -0,0 +1,29 @@
+# 19. Role-based Access Control
+
+Date: 2023-03-17
+
+## Status
+
+Approved
+
+## Context
+
+In the registrar application, a single user might be associated with many
+domains, and they might have different levels of access to view or change
+those domains.
+
+## Decision
+
+To use a role-based access control system where we have a model of different
+roles and an association that links a user to a specific role with a specified
+role. Each role would have some associated permissions in the application and
+we can enforce those permissions by using decorators on our Django views.
+
+## Consequences
+
+There is no enterprise model here of users belonging to an “organization” with
+a role on all of its associated domain names. Instead, the association is
+per-domain and a user would have to be granted the role on each domain
+individually. There is also no process designed yet for how and whether users
+can grant other users roles on a domain.
+