- Home
- Skills
- Cameronapak
- Bknd Skills
- Bknd Create Role
bknd-create-role_skill
2
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill cameronapak/bknd-skills --skill bknd-create-role- SKILL.md9.5 KB
Overview
This skill helps you define and manage roles in the Bknd authorization system. It covers role properties (implicit_allow, is_default, permissions), permission assignment formats (allow/deny), role hierarchies, and common role patterns like admin, editor, viewer, and anonymous. Use it to design predictable access models and seed roles for registration or administration.
How this skill works
Roles are declared in code mode inside the auth.guard configuration. Each role can set implicit_allow (global allow unless denied), is_default (applied to unauthenticated users), and an array of permissions or permission objects with effect: allow/deny. The guard must be enabled for roles to be enforced. You assign roles at registration, user creation seeds, or by updating the user record.
When to use it
- Creating new roles or editing permissions (code mode required)
- Setting the default role for unauthenticated users
- Seeding admin or initial users with specific roles
- Modeling multi-tier access (admin, editor, contributor, anonymous)
- Restricting public access in closed systems
Best practices
- Always enable guard: auth.guard.enabled must be true for roles to work
- Use implicit_allow: false for all non-admin roles to avoid accidental grants
- Set only one is_default role to avoid unpredictable behavior
- Define roles before referencing them in default_role_register or seeding
- Limit raw database permissions (data.raw.*) to fully trusted roles
Example use cases
- Admin role with implicit_allow: true for full system control
- Editor role granting create/read/update but not delete
- Anonymous default role granting read-only access to public resources
- API client role that can create and read but not modify or delete
- Closed system where allow_register is false and no default role exists
FAQ
implicit_allow: true grants all permissions by default unless an explicit deny is present. Use it only for full-admin roles.
How do I give a user a role at signup?
Set auth.default_role_register to the role name to auto-assign it on registration, or create users in a seed script with the role field.
Why are my role permissions not enforced?
Most likely the guard is not enabled. Ensure auth.enabled and auth.guard.enabled are both true.