home / skills / a5c-ai / babysitter / scope-permission-designer

scope-permission-designer skill

safe

/plugins/babysitter/skills/babysit/process/specializations/sdk-platform-development/skills/scope-permission-designer

This skill designs and implements OAuth scope models and permission strategies to enforce fine-grained API access aligned with business needs.

npx playbooks add skill a5c-ai/babysitter --skill scope-permission-designer

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

2.1 KB

---
name: scope-permission-designer
description: Design and implement scoped permission models
allowed-tools:
  - Read
  - Write
  - Edit
  - Glob
  - Grep
  - Bash
---

# Scope Permission Designer Skill

## Overview

This skill designs and implements OAuth scopes and permission models for APIs, enabling fine-grained access control that maps to business requirements.

## Capabilities

- Design scope hierarchies and inheritance
- Implement permission validation in SDK/API
- Generate comprehensive scope documentation
- Support scope-based access control (SBAC)
- Configure scope consent flows
- Implement resource-level permissions
- Design scope grouping and bundles
- Generate scope matrices for documentation

## Target Processes

- Authentication and Authorization Patterns
- Developer Portal Implementation
- API Design Specification

## Integration Points

- OAuth authorization servers
- Policy engines (OPA, Cedar)
- RBAC/ABAC systems
- API gateway authorization
- Consent management UIs

## Input Requirements

- Business requirements for access control
- Resource and action mapping
- Scope naming conventions
- Hierarchy requirements
- Consent flow needs

## Output Artifacts

- Scope taxonomy documentation
- Permission validation middleware
- Scope documentation for developers
- Consent UI components
- Scope matrices and mappings
- Admin permission management API

## Usage Example

```yaml
skill:
  name: scope-permission-designer
  context:
    scopeFormat: "resource:action"
    hierarchy:
      admin: ["read", "write", "delete"]
      write: ["read"]
    scopes:
      - users:read
      - users:write
      - users:delete
      - projects:read
      - projects:write
    bundles:
      - name: basic
        scopes: ["users:read", "projects:read"]
      - name: full
        scopes: ["users:*", "projects:*"]
```

## Best Practices

1. Use consistent naming conventions
2. Design scopes around resources and actions
3. Implement scope hierarchies to reduce complexity
4. Document all scopes clearly
5. Provide sensible default scope bundles
6. Support both fine-grained and coarse permissions

Overview

This skill designs and implements OAuth scopes and permission models to enable fine-grained, business-aligned access control. It produces scope taxonomies, validation middleware, consent components, and admin APIs to operationalize scope-based access control. The approach maps resources and actions into reusable scope bundles and hierarchical permissions.

How this skill works

The skill inspects business requirements, resource-action mappings, and naming conventions to generate a scope taxonomy and hierarchy. It emits artifacts: scope documentation, validation middleware for SDKs/APIs, consent flow components, and admin management endpoints. Integration patterns include OAuth servers, policy engines, API gateways, and RBAC/ABAC systems for enforcement.

When to use it

Defining access control for new APIs or microservices
Reworking broad role-based permissions into fine-grained scopes
Implementing consent flows for third-party integrations
Aligning developer portal docs with runtime enforcement
Integrating policy engines or API gateways with scoped authorization

Best practices

Use consistent resource:action naming and a clear hierarchy
Design scopes to map directly to business actions and resources
Group common scopes into sensible bundles and defaults
Implement middleware that validates both scope and resource-level claims
Document scope matrices and include example consent strings
Support expansion with wildcard and inheritance rules but prefer explicit scopes

Example use cases

Create a scope taxonomy for a multi-tenant SaaS platform (users:read, users:write, projects:read)
Generate permission validation middleware for an API gateway enforcing scopes per endpoint
Design consent UI that shows bundled scopes and explains resource impact
Map existing RBAC roles into scoped bundles for third-party OAuth grants
Produce scope matrices for developer documentation and security reviews

FAQ

How do scopes relate to roles?

Scopes represent fine-grained permissions tied to resources and actions; roles are collections of scopes or policies. Use roles for admin UX and scopes for runtime authorization.

When should I use wildcards in scopes?

Use wildcards sparingly for coarse access bundles or admin-level scopes. Prefer explicit scopes for sensitive operations and auditability.