Permissions | Cessy Builder Docs

Permissions define who may act and who may read. They belong in the model, not only in custom page code or external clients.

Building blocks

Concept	Meaning
Principal	The user, service, or agent identity making the request.
Role	Named business authority such as `Admin`, `Manager`, or `SupportAgent`.
Attribute	Contextual property used for access decisions, such as team, region, account, or ownership.
Command permission	Rule that allows or denies command execution.
Projection permission	Rule that allows or denies reading projection data.

Command permissions

Command permissions protect business decisions. Check them before publish when a new command is added or an existing command changes meaning.

Projection permissions

Projection permissions protect read data. A user who cannot execute a command may still be allowed to read a projection, or the reverse. Model both explicitly.

Agents

Runtime agents need scoped authority. Give an agent only the command and projection access required for its job, and make user-visible actions auditable in Activity or channels.

Builder agents using Design MCP need tenant/app design access and the appropriate design:read or design scope.

Verification

Test at least one allowed actor and one denied actor for sensitive commands and projections.