Design per-service RBAC role assignment

Table of Contents

What
Why
References
See also

This page is a capture in the deferred bucket of the product backlog — a pre-sprint idea, not yet pulled into a sprint as a story.

What

(One paragraph: the idea.)

Why

(Motivation, problem being solved, related context.)

References

See also

Services currently accept any valid JWT regardless of the caller's roles. The intended design (RBAC + HBAC):

Each service declares the roles that may call it (e.g. only service_account role may call internal service RPCs).
The JWT already carries roles (from IAM). The service's request-context validation checks that the caller holds an acceptable role.
Per-service role assignment is stored in IAM and pushed into the JWT at token issuance.

Design questions:

Should this be a role (coarse) or a permission (fine-grained) check at the service entry-point?
How do service-to-service calls authenticate — a service JWT with a service_account role?

Write a design note before implementing.

Emacs 29.1 (Org mode 9.6.6)