feat: iam rbac system

Endpoints and db architecture to support a role based IAM system.

.alembic/env.py

@@ -10,6 +10,8 @@ from src.config import SQLALCHEMY_DATABASE_URI
 from src.contact.models import Contact
 from src.organisation.models import Organisation, OrgUsers
 from src.user.models import User
+from src.service.models import Service
+from src.iam.models import Permission, Group, GroupPermissions, UserGroups
 from src.database import Base
 
 # this is the Alembic Config object, which provides

.alembic/versions/2026-05-22_init_iam.py

@@ -0,0 +1,83 @@
+"""Init IAM
+
+Revision ID: a147965e644e
+Revises: 8fe51426321d
+Create Date: 2026-05-22 15:59:36.469374
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'a147965e644e'
+down_revision: Union[str, Sequence[str], None] = '8fe51426321d'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('service',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('name', sa.String(), nullable=True),
+    sa.Column('api_key', sa.String(), nullable=True),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('api_key'),
+    sa.UniqueConstraint('name')
+    )
+    op.create_table('permission',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('resource', sa.String(), nullable=False),
+    sa.Column('action', sa.String(), nullable=False),
+    sa.Column('service_id', sa.Integer(), nullable=True),
+    sa.ForeignKeyConstraint(['service_id'], ['service.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_table('group',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('name', sa.String(), nullable=False),
+    sa.Column('org_id', sa.Integer(), nullable=True),
+    sa.ForeignKeyConstraint(['org_id'], ['organisation.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('name')
+    )
+    op.create_table('group_permissions',
+    sa.Column('group_id', sa.Integer(), nullable=False),
+    sa.Column('permission_id', sa.Integer(), nullable=False),
+    sa.ForeignKeyConstraint(['group_id'], ['group.id'], ondelete='CASCADE'),
+    sa.ForeignKeyConstraint(['permission_id'], ['permission.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('group_id', 'permission_id')
+    )
+    op.create_table('user_groups',
+    sa.Column('org_id', sa.Integer(), nullable=False),
+    sa.Column('user_id', sa.Integer(), nullable=False),
+    sa.Column('group_id', sa.Integer(), nullable=False),
+    sa.ForeignKeyConstraint(['group_id'], ['group.id'], ondelete='CASCADE'),
+    sa.ForeignKeyConstraint(['org_id'], ['organisation.id'], ondelete='CASCADE'),
+    sa.ForeignKeyConstraint(['user_id'], ['user.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('org_id', 'user_id', 'group_id')
+    )
+    op.add_column('organisation', sa.Column('root_user_id', sa.Integer(), nullable=True))
+    op.create_unique_constraint("organisation_name_key", 'organisation', ['name'])
+    op.create_foreign_key("organisation_root_user_fkey", 'organisation', 'user', ['root_user_id'], ['id'])
+    op.drop_column('orgusers', 'is_admin')
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('orgusers', sa.Column('is_admin', sa.BOOLEAN(), server_default=sa.text('false'), autoincrement=False, nullable=False))
+    op.drop_constraint("organisation_root_user_fkey", 'organisation', type_='foreignkey')
+    op.drop_constraint("organisation_name_key", 'organisation', type_='unique')
+    op.drop_column('organisation', 'root_user_id')
+    op.drop_table('user_groups')
+    op.drop_table('group_permissions')
+    op.drop_table('group')
+    op.drop_table('permission')
+    op.drop_table('service')
+    # ### end Alembic commands ###