Access Control Service Overview
This document summarises the main data services exposed by access-control-client. Each service wraps Prisma models and enforces basic domain rules.
Core Data Services
| Service | Purpose |
|---|
UserDataService | Manage user accounts, passwords and profile fields |
RoleDataService | CRUD operations for roles and default permissions |
PermissionDataService | Create and query permission definitions |
UserRoleDataService | Link users to roles within a tenant |
SessionDataService | Issue, validate and revoke user sessions |
FeatureFlagsDataService | Toggle features at runtime for specific tenants or users |
Required Environment Variables
| Variable | Description |
|---|
ACCESS_CONTROL_DATABASE_URL | PostgreSQL connection string for the Prisma datasource |
MAX_CONCURRENCY | Optional limit for parallel queries in FeatureStatsDataService (defaults to 3) |
CI_OFFLINE=true | Prevents network calls during offline runs |
SKIP_INTEGRATION=1 | Skip Docker based tests when containers are unavailable |
Example Flows
1. User Creation
- Call
UserDataService.createUser with email, password and tenant ID.
UserRoleDataService assigns the default role for the tenant.- Optionally create an invitation token so the user can activate their account.
2. Role Assignment
- Use
RoleDataService.createRole to define a new role.
- Attach permissions via
PermissionDataService or assign existing ones.
- Call
UserRoleDataService.addRoleToUser to grant the role to a user.
3. Session Management
SessionDataService.createSession issues a new session and refresh token.- Persist the
jti in cookies or headers for authenticated requests.
SessionDataService.revokeSession or revokeAllSessionsForUser removes sessions when required.
- Admin Capabilities — Platform vs tenant-scoped admins
- Full seed taxonomy in
libs/prisma/access-control-client/prisma/SEEDS.md