angee.iam.schema
GraphQL schema contributions for Angee IAM.
Pure identity: the user projection, the password session login, and the REBAC permission hub. The OAuth/OIDC connection substrate (clients, external accounts, credentials, connect/disconnect) lives in integrate; OIDC login lives in iam_integrate_oidc.
GROUP_PUBLIC_IDENTITY
Public data identity for Django auth groups exposed by IAM.
UserType
@strawberry_django.type(User)
class UserType(AngeeNode)GraphQL projection of an Angee user for shared/admin lists.
display_name
@strawberry_django.field(only=["first_name", "last_name", "username"])
def display_name() -> strReturn the user's human label, overriding the username Node default.
full_name
@strawberry_django.field
def full_name() -> strReturn the user's display name assembled by Django's auth contract.
preferences
@strawberry_django.field
def preferences() -> JSONReturn the user's private UI preference object.
CurrentUserType
@strawberry_django.type(User)
class CurrentUserType(AngeeNode)GraphQL projection of the session user, including private role refs.
display_name
@strawberry_django.field(only=["first_name", "last_name", "username"])
def display_name() -> strReturn the user's human label, overriding the username Node default.
preferences
@strawberry_django.field
def preferences() -> JSONReturn the current user's private UI preference object.
role_refs
@strawberry_django.field
def role_refs() -> list[str]Return direct REBAC role grants for the current session user.
There is no synchronous dataloader idiom in this repo. Keep role refs on the singleton current_user path instead of exposing an N+1 admin-list field that can reveal another user's roles.
GroupType
@strawberry_django.type(Group)
class GroupType()GraphQL projection of Django auth groups with Angee public ids.
id
@strawberry.field(description="The public ID of this object.")
def id() -> PublicIDReturn this group row's IAM public id.
IAMRoleType
@strawberry.type
class IAMRoleType()Tuple-derived role exposed by the IAM permission hub.
IAMGrantType
@strawberry_django.type(active_relationship_model())
class IAMGrantType()Direct role grant for a user principal.
principal_id
@strawberry_django.field
def principal_id() -> strReturn the granted user principal id.
principal_type
@strawberry_django.field
def principal_type() -> strReturn the granted user principal type.
principal_label
@strawberry_django.field
def principal_label(info: strawberry.Info) -> str | NoneReturn the principal's display name - no user object exposed.
principal_ref
@strawberry_django.field
def principal_ref() -> strReturn the canonical <type>:<id> principal ref.
role
@strawberry_django.field
def role() -> strReturn the canonical granted role ref.
role_name
@strawberry_django.field
def role_name() -> strReturn the short granted role id.
namespace
@strawberry_django.field
def namespace() -> strReturn the namespace portion of the granted role type.
IAMRelationType
@strawberry.type
class IAMRelationType()Relation declaration from the installed REBAC schema.
IAMPermCondition
@strawberry.type
class IAMPermCondition()Flattened permission expression leaf.
IAMPermissionType
@strawberry.type
class IAMPermissionType()Permission declaration from the installed REBAC schema.
IAMResourceSchemaType
@strawberry.type
class IAMResourceSchemaType()Resource definition projected from the installed REBAC schema.
IAMOverviewNamespaceType
@strawberry.type
class IAMOverviewNamespaceType()Role namespace aggregate shown by the IAM overview.
IAMRelationshipType
@strawberry_django.type(active_relationship_model())
class IAMRelationshipType()Raw active REBAC relationship tuple.
id
@strawberry_django.field
def id() -> strReturn the relationship row's primary-key identity.
resource_type
@strawberry_django.field
def resource_type() -> strReturn the relationship resource type.
resource_id
@strawberry_django.field
def resource_id() -> strReturn the relationship resource id.
relation
@strawberry_django.field
def relation() -> strReturn the relationship name.
subject_type
@strawberry_django.field
def subject_type() -> strReturn the relationship subject type.
subject_id
@strawberry_django.field
def subject_id() -> strReturn the relationship subject id.
subject_relation
@strawberry_django.field
def subject_relation() -> strReturn the optional subject-set relation.
caveat_name
@strawberry_django.field
def caveat_name() -> strReturn the relationship caveat name.
IAMOverviewType
@strawberry.type
class IAMOverviewType()IAM dashboard facts computed by the IAM backend owner.
LoginPayload
@strawberry.type
class LoginPayload()Result returned by the session login mutation.
IAMUserWriteBackend
class IAMUserWriteBackend()Admin write semantics for the Hasura users resource.
create
def create(info: strawberry.Info, data: dict[str, Any]) -> AnyCreate one user through Django's password-hashing manager.
update
def update(info: strawberry.Info, pk: str, data: dict[str, Any]) -> AnyPatch one user, hashing password when supplied.
delete
def delete(info: strawberry.Info, pk: str) -> Any | NoneDelete one user by public id and return the deleted row.
IAMGroupWriteBackend
class IAMGroupWriteBackend()Admin write semantics for the Hasura groups resource.
create
def create(info: strawberry.Info, data: dict[str, Any]) -> AnyCreate one Django auth group.
update
def update(info: strawberry.Info, pk: str, data: dict[str, Any]) -> AnyPatch one Django auth group.
delete
def delete(info: strawberry.Info, pk: str) -> Any | NoneDelete one Django auth group by public id.
IAMRoleRow
class IAMRoleRow(BaseModel)Computed IAM role row (no Django table behind it).
The row-shape SSOT for the iam.Role Hasura resource. Roles are deduped from active role-relationship tuples and labelled from the REBAC schema AST (the same computation the authored roles query exposed). IAMRoleType keys by the short resource_id (role_id), which is not unique across namespaces; the row adds an explicit id (the canonical <namespace>/role:<id> ref) for by-pk addressing.
IAMGrantRow
class IAMGrantRow(BaseModel)Computed IAM role-grant row (no Django table behind it).
The row-shape SSOT for the iam.Grant Hasura resource, projected from the direct user role-grant tuples (the same rows the authored grants query paginated). The principal/role pair is unique, so id is the <principal_ref>:<role> composite for by-pk addressing.
IAMQuery
@strawberry.type
class IAMQuery()Session-backed IAM queries.
current_user
@strawberry.field
def current_user(info: strawberry.Info) -> CurrentUserType | NoneReturn the authenticated session user, if any.
IAMConsoleQuery
@strawberry.type
class IAMConsoleQuery()Admin IAM user and permission-hub queries.
roles
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def roles() -> list[IAMRoleType]Return active tuple-derived roles.
rebac_schema
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def rebac_schema() -> list[IAMResourceSchemaType]Return the installed REBAC schema projection.
iam_overview
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def iam_overview(
peek_limit: int = _IAM_OVERVIEW_DEFAULT_PEEK_LIMIT) -> IAMOverviewTypeReturn IAM dashboard aggregates and peek rows.
IAMMutation
@strawberry.type
class IAMMutation()Session-backed IAM mutations.
login
@strawberry.mutation
def login(info: strawberry.Info, username: str, password: str) -> LoginPayloadAuthenticate credentials and bind the user to the session.
logout
@strawberry.mutation
def logout(info: strawberry.Info) -> boolClear the current session.
update_preferences
@strawberry.mutation
def update_preferences(info: strawberry.Info,
preferences: JSON) -> CurrentUserTypeReplace the authenticated user's private UI preference object.
IAMUserDeletePreviewMutation
@strawberry.type
class IAMUserDeletePreviewMutation()Authored cascade delete preview for users.
delete_user
@strawberry.mutation(name="delete_user")
def delete_user(info: strawberry.Info,
id: PublicID,
confirm: bool = False) -> DeletePreviewPreview or confirm deletion of one user by public id.
IAMPermissionHubMutation
@strawberry.type
class IAMPermissionHubMutation()Admin mutations for tuple-backed IAM role grants.
grant_role
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def grant_role(principal_id: str, role: str) -> boolGrant a role to one user principal.
revoke_role
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def revoke_role(principal_id: str, role: str) -> boolRevoke a role from one user principal.
schemas
GraphQL contributions installed by the IAM addon.