Permission Management
Quick Start
Advanced Features
Permission Management
Implement fine-grained access control based on device trust levels, user roles, and business logic using Grantiva's flexible permission system.
Professional Feature
Advanced permission management requires Professional tier or above. Basic tier includes standard permission sets only.
Permission Model Overview
Grantiva's permission system combines device trust assessment with your business logic to create dynamic, risk-aware access control:
- Device-based permissions: Automatically adjusted based on risk score
- Role-based permissions: Traditional RBAC integrated with device trust
- Attribute-based permissions: Fine-grained control using device attributes
- Time-based permissions: Temporal access restrictions
- Geographic permissions: Location-aware access control
Permission Configuration
1. Define Permission Sets
{
"permissionSets": {
"basic": {
"name": "Basic Access",
"permissions": ["read_profile", "view_content"],
"description": "Minimal access for all authenticated devices"
},
"standard": {
"name": "Standard Access",
"permissions": ["basic", "create_content", "edit_own"],
"inherits": ["basic"],
"requirements": {
"maxRiskScore": 50,
"minAttestations": 3
}
},
"premium": {
"name": "Premium Features",
"permissions": ["standard", "advanced_analytics", "bulk_operations"],
"inherits": ["standard"],
"requirements": {
"maxRiskScore": 30,
"minAttestations": 10,
"accountAge": "30d"
}
},
"financial": {
"name": "Financial Operations",
"permissions": ["transfer_funds", "payment_methods", "transaction_history"],
"requirements": {
"maxRiskScore": 20,
"jailbroken": false,
"geoConsistency": true,
"recentAttestations": 24
}
}
}
}
2. Risk-Based Degradation
Automatically downgrade permissions when device risk increases:
{
"riskDegradation": {
"enabled": true,
"rules": [
{
"condition": { "riskScore": { "between": [51, 70] } },
"action": "downgrade",
"target": "readonly",
"notify": true
},
{
"condition": { "riskScore": { "greaterThan": 70 } },
"action": "revoke",
"permissions": ["financial", "admin"],
"require_reauthentication": true
},
{
"condition": { "jailbreakDetected": true },
"action": "restrict",
"blockedPermissions": ["transfer_funds", "export_data"],
"allowedPermissions": ["read_only"]
}
]
}
}
Implementation Patterns
iOS Client Implementation
class PermissionManager {
private var currentPermissions: Set = []
private var permissionCache: [String: Bool] = [:]
func updatePermissions(from token: String) {
guard let payload = decodeJWT(token) else { return }
currentPermissions = Set(payload.permissions)
permissionCache.removeAll() // Clear cache on update
// Notify UI of permission changes
NotificationCenter.default.post(
name: .permissionsUpdated,
object: nil,
userInfo: ["permissions": currentPermissions]
)
}
func hasPermission(_ permission: String) -> Bool {
// Check cache first
if let cached = permissionCache[permission] {
return cached
}
// Check direct permission
let hasPermission = currentPermissions.contains(permission)
// Check inherited permissions
let inherited = checkInheritedPermissions(permission)
let result = hasPermission || inherited
permissionCache[permission] = result
return result
}
func requirePermission(_ permission: String,
for action: @escaping () -> Void,
denied: @escaping () -> Void = {}) {
if hasPermission(permission) {
action()
} else {
// Log permission denial for analytics
Analytics.log(.permissionDenied, parameters: [
"permission": permission,
"riskScore": getCurrentRiskScore()
])
denied()
}
}
}
// Usage in your app
class TransferViewController: UIViewController {
let permissionManager = PermissionManager.shared
@IBAction func initiateTransfer() {
permissionManager.requirePermission("transfer_funds",
for: {
// Show transfer UI
self.performSegue(withIdentifier: "showTransfer", sender: nil)
},
denied: {
// Show restricted access message
self.showAlert(
title: "Access Restricted",
message: "Your current device trust level doesn't allow transfers."
)
}
)
}
}
Server-Side Enforcement
// Express.js middleware example
const enforcePermission = (requiredPermission) => {
return async (req, res, next) => {
const token = req.headers.authorization?.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'No token provided' });
}
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
const { permissions, deviceIntelligence } = decoded;
// Check basic permission
if (!permissions.includes(requiredPermission)) {
// Log for security monitoring
await logSecurityEvent({
event: 'permission_denied',
userId: decoded.sub,
permission: requiredPermission,
riskScore: deviceIntelligence.riskScore,
endpoint: req.path
});
return res.status(403).json({
error: 'Insufficient permissions',
required: requiredPermission,
suggestion: 'Try from a more trusted device'
});
}
// Additional runtime checks
const runtimeChecks = await performRuntimeChecks(decoded, requiredPermission);
if (!runtimeChecks.passed) {
return res.status(403).json({
error: runtimeChecks.reason
});
}
req.user = decoded;
next();
} catch (error) {
res.status(401).json({ error: 'Invalid token' });
}
};
};
// Usage
app.post('/api/transfer',
enforcePermission('transfer_funds'),
validateTransferLimit,
async (req, res) => {
// Process transfer
}
);
Dynamic Permission Rules
Context-Aware Permissions
{
"dynamicRules": [
{
"name": "high_value_transfer",
"permission": "transfer_high_value",
"conditions": {
"all": [
{ "riskScore": { "lessThan": 20 } },
{ "deviceAge": { "greaterThan": "30d" } },
{ "recentSuccessfulAttestations": { "greaterThan": 10 } },
{ "timeOfDay": { "between": ["09:00", "17:00"] } },
{ "dayOfWeek": { "in": ["Mon", "Tue", "Wed", "Thu", "Fri"] } }
]
}
},
{
"name": "emergency_access",
"permission": "emergency_override",
"conditions": {
"all": [
{ "userRole": "admin" },
{ "twoFactorEnabled": true },
{ "location": { "country": "US" } }
]
},
"audit": {
"required": true,
"notifySecurityTeam": true
}
}
]
}
Progressive Trust Building
Grant additional permissions as devices build trust over time:
{
"progressiveTrust": {
"enabled": true,
"milestones": [
{
"name": "new_device",
"requirements": {
"attestationCount": 1,
"daysSinceFirstSeen": 0
},
"grants": ["basic"]
},
{
"name": "establishing_trust",
"requirements": {
"attestationCount": 5,
"daysSinceFirstSeen": 7,
"averageRiskScore": { "lessThan": 40 }
},
"grants": ["standard", "messaging"]
},
{
"name": "trusted_device",
"requirements": {
"attestationCount": 20,
"daysSinceFirstSeen": 30,
"averageRiskScore": { "lessThan": 25 },
"noHighRiskEvents": true
},
"grants": ["premium", "financial_read"]
},
{
"name": "fully_trusted",
"requirements": {
"attestationCount": 50,
"daysSinceFirstSeen": 90,
"averageRiskScore": { "lessThan": 20 },
"consistentUsagePattern": true
},
"grants": ["all_features"]
}
]
}
}
Permission Delegation
Temporary Permission Grants
// Grant temporary elevated permissions
func grantTemporaryPermission(
permission: String,
duration: TimeInterval,
reason: String
) async throws -> TemporaryGrant {
let request = TemporaryPermissionRequest(
permission: permission,
duration: duration,
reason: reason,
deviceId: getCurrentDeviceId()
)
// Server validates and returns signed grant
let grant = try await api.requestTemporaryPermission(request)
// Store grant locally
temporaryGrants.store(grant)
// Schedule expiration
Timer.scheduledTimer(withTimeInterval: duration, repeats: false) { _ in
self.revokeTemporaryGrant(grant.id)
}
return grant
}
// Usage example: One-time approval for large transfer
Button("Approve Large Transfer") {
Task {
do {
let grant = try await grantTemporaryPermission(
permission: "transfer_limit_override",
duration: 300, // 5 minutes
reason: "User approved via biometric authentication"
)
// Proceed with transfer using temporary permission
await performTransfer(withGrant: grant)
} catch {
showError("Could not grant temporary permission")
}
}
}
Audit and Compliance
Permission Usage Tracking
{
"auditConfiguration": {
"trackPermissionUsage": true,
"detailedLogging": ["financial", "admin", "export"],
"retentionDays": 90,
"exportFormat": "SIEM",
"alerts": [
{
"trigger": "permission_denied",
"threshold": 10,
"window": "5m",
"action": "notify_security"
},
{
"trigger": "unusual_permission_pattern",
"ml_model": "permission_anomaly_v2",
"action": "flag_for_review"
}
]
}
}
Best Practices
- Principle of Least Privilege: Start with minimal permissions and grant more as trust builds
- Clear Communication: Always explain why permissions are denied and how to gain access
- Graceful Degradation: Provide limited functionality rather than complete blocks
- Regular Review: Audit permission usage and adjust rules based on patterns
- Testing: Thoroughly test permission rules across different risk scenarios
- Documentation: Maintain clear documentation of all permission requirements
Permission Reference
| Permission | Risk Threshold | Additional Requirements |
|---|---|---|
| read_profile | 100 (always) | Valid attestation |
| create_content | 50 | 3+ attestations |
| transfer_funds | 20 | No jailbreak, 30d history |
| admin_access | 10 | MFA enabled, geo-consistent |