Skip to content

angee.iam.schema

GraphQL schema contributions for Angee IAM.

Pure identity: the user projection, the password session login, and the REBAC permission hub. The OAuth/OIDC connection substrate (clients, external accounts, credentials, connect/disconnect) lives in integrate; OIDC login lives in iam_integrate_oidc.

GROUP_PUBLIC_IDENTITY

Public data identity for Django auth groups exposed by IAM.

UserType

python
@strawberry_django.type(User)
class UserType(AngeeNode)

GraphQL projection of an Angee user for shared/admin lists.

display_name

python
@strawberry_django.field(only=["first_name", "last_name", "username"])
def display_name() -> str

Return the user's human label, overriding the username Node default.

full_name

python
@strawberry_django.field
def full_name() -> str

Return the user's display name assembled by Django's auth contract.

preferences

python
@strawberry_django.field
def preferences() -> JSON

Return the user's private UI preference object.

CurrentUserType

python
@strawberry_django.type(User)
class CurrentUserType(AngeeNode)

GraphQL projection of the session user, including private role refs.

display_name

python
@strawberry_django.field(only=["first_name", "last_name", "username"])
def display_name() -> str

Return the user's human label, overriding the username Node default.

preferences

python
@strawberry_django.field
def preferences() -> JSON

Return the current user's private UI preference object.

role_refs

python
@strawberry_django.field
def role_refs() -> list[str]

Return direct REBAC role grants for the current session user.

There is no synchronous dataloader idiom in this repo. Keep role refs on the singleton current_user path instead of exposing an N+1 admin-list field that can reveal another user's roles.

GroupType

python
@strawberry_django.type(Group)
class GroupType()

GraphQL projection of Django auth groups with Angee public ids.

id

python
@strawberry.field(description="The public ID of this object.")
def id() -> PublicID

Return this group row's IAM public id.

IAMRoleType

python
@strawberry.type
class IAMRoleType()

Tuple-derived role exposed by the IAM permission hub.

IAMGrantType

python
@strawberry_django.type(active_relationship_model())
class IAMGrantType()

Direct role grant for a user principal.

principal_id

python
@strawberry_django.field
def principal_id() -> str

Return the granted user principal id.

principal_type

python
@strawberry_django.field
def principal_type() -> str

Return the granted user principal type.

principal_label

python
@strawberry_django.field
def principal_label(info: strawberry.Info) -> str | None

Return the principal's display name - no user object exposed.

principal_ref

python
@strawberry_django.field
def principal_ref() -> str

Return the canonical <type>:<id> principal ref.

role

python
@strawberry_django.field
def role() -> str

Return the canonical granted role ref.

role_name

python
@strawberry_django.field
def role_name() -> str

Return the short granted role id.

namespace

python
@strawberry_django.field
def namespace() -> str

Return the namespace portion of the granted role type.

IAMRelationType

python
@strawberry.type
class IAMRelationType()

Relation declaration from the installed REBAC schema.

IAMPermCondition

python
@strawberry.type
class IAMPermCondition()

Flattened permission expression leaf.

IAMPermissionType

python
@strawberry.type
class IAMPermissionType()

Permission declaration from the installed REBAC schema.

IAMResourceSchemaType

python
@strawberry.type
class IAMResourceSchemaType()

Resource definition projected from the installed REBAC schema.

IAMOverviewNamespaceType

python
@strawberry.type
class IAMOverviewNamespaceType()

Role namespace aggregate shown by the IAM overview.

IAMRelationshipType

python
@strawberry_django.type(active_relationship_model())
class IAMRelationshipType()

Raw active REBAC relationship tuple.

id

python
@strawberry_django.field
def id() -> str

Return the relationship row's primary-key identity.

resource_type

python
@strawberry_django.field
def resource_type() -> str

Return the relationship resource type.

resource_id

python
@strawberry_django.field
def resource_id() -> str

Return the relationship resource id.

relation

python
@strawberry_django.field
def relation() -> str

Return the relationship name.

subject_type

python
@strawberry_django.field
def subject_type() -> str

Return the relationship subject type.

subject_id

python
@strawberry_django.field
def subject_id() -> str

Return the relationship subject id.

subject_relation

python
@strawberry_django.field
def subject_relation() -> str

Return the optional subject-set relation.

caveat_name

python
@strawberry_django.field
def caveat_name() -> str

Return the relationship caveat name.

IAMOverviewType

python
@strawberry.type
class IAMOverviewType()

IAM dashboard facts computed by the IAM backend owner.

LoginPayload

python
@strawberry.type
class LoginPayload()

Result returned by the session login mutation.

IAMUserWriteBackend

python
class IAMUserWriteBackend()

Admin write semantics for the Hasura users resource.

create

python
def create(info: strawberry.Info, data: dict[str, Any]) -> Any

Create one user through Django's password-hashing manager.

update

python
def update(info: strawberry.Info, pk: str, data: dict[str, Any]) -> Any

Patch one user, hashing password when supplied.

delete

python
def delete(info: strawberry.Info, pk: str) -> Any | None

Delete one user by public id and return the deleted row.

IAMGroupWriteBackend

python
class IAMGroupWriteBackend()

Admin write semantics for the Hasura groups resource.

create

python
def create(info: strawberry.Info, data: dict[str, Any]) -> Any

Create one Django auth group.

update

python
def update(info: strawberry.Info, pk: str, data: dict[str, Any]) -> Any

Patch one Django auth group.

delete

python
def delete(info: strawberry.Info, pk: str) -> Any | None

Delete one Django auth group by public id.

IAMRoleRow

python
class IAMRoleRow(BaseModel)

Computed IAM role row (no Django table behind it).

The row-shape SSOT for the iam.Role Hasura resource. Roles are deduped from active role-relationship tuples and labelled from the REBAC schema AST (the same computation the authored roles query exposed). IAMRoleType keys by the short resource_id (role_id), which is not unique across namespaces; the row adds an explicit id (the canonical <namespace>/role:<id> ref) for by-pk addressing.

IAMGrantRow

python
class IAMGrantRow(BaseModel)

Computed IAM role-grant row (no Django table behind it).

The row-shape SSOT for the iam.Grant Hasura resource, projected from the direct user role-grant tuples (the same rows the authored grants query paginated). The principal/role pair is unique, so id is the <principal_ref>:<role> composite for by-pk addressing.

IAMQuery

python
@strawberry.type
class IAMQuery()

Session-backed IAM queries.

current_user

python
@strawberry.field
def current_user(info: strawberry.Info) -> CurrentUserType | None

Return the authenticated session user, if any.

IAMConsoleQuery

python
@strawberry.type
class IAMConsoleQuery()

Admin IAM user and permission-hub queries.

roles

python
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def roles() -> list[IAMRoleType]

Return active tuple-derived roles.

rebac_schema

python
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def rebac_schema() -> list[IAMResourceSchemaType]

Return the installed REBAC schema projection.

iam_overview

python
@strawberry.field(permission_classes=_ADMIN_PERMISSION_CLASSES)
def iam_overview(
        peek_limit: int = _IAM_OVERVIEW_DEFAULT_PEEK_LIMIT) -> IAMOverviewType

Return IAM dashboard aggregates and peek rows.

IAMMutation

python
@strawberry.type
class IAMMutation()

Session-backed IAM mutations.

login

python
@strawberry.mutation
def login(info: strawberry.Info, username: str, password: str) -> LoginPayload

Authenticate credentials and bind the user to the session.

logout

python
@strawberry.mutation
def logout(info: strawberry.Info) -> bool

Clear the current session.

update_preferences

python
@strawberry.mutation
def update_preferences(info: strawberry.Info,
                       preferences: JSON) -> CurrentUserType

Replace the authenticated user's private UI preference object.

IAMUserDeletePreviewMutation

python
@strawberry.type
class IAMUserDeletePreviewMutation()

Authored cascade delete preview for users.

delete_user

python
@strawberry.mutation(name="delete_user")
def delete_user(info: strawberry.Info,
                id: PublicID,
                confirm: bool = False) -> DeletePreview

Preview or confirm deletion of one user by public id.

IAMPermissionHubMutation

python
@strawberry.type
class IAMPermissionHubMutation()

Admin mutations for tuple-backed IAM role grants.

grant_role

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def grant_role(principal_id: str, role: str) -> bool

Grant a role to one user principal.

revoke_role

python
@strawberry.mutation(permission_classes=_ADMIN_PERMISSION_CLASSES)
def revoke_role(principal_id: str, role: str) -> bool

Revoke a role from one user principal.

schemas

GraphQL contributions installed by the IAM addon.

Released under the AGPL-3.0 License.