RBAC — 10 roles, three layers
Cavaridge ships 10 standard roles enforced at every layer.
The 10 roles
Section titled “The 10 roles”| Role | Tier |
|---|---|
| Platform Admin | platform |
| MSP Admin | msp |
| MSP Tech | msp |
| Client Admin | client |
| Client Viewer | client |
| Prospect | prospect |
| Individual Owner | individual |
| Team Admin | individual (team mode) |
| Team Member | individual (team mode) |
| Team Viewer | individual (team mode) |
Roles are defined before any UI is built. Source: CLAUDE.md §3.
Where they’re enforced
Section titled “Where they’re enforced”- DB (RLS) —
auth.has_role('msp_admin')predicate on policies - API (middleware) —
requireRole(["msp_admin", "msp_tech"])per route - UI —
useRole()hook for conditional rendering
Pitfalls
Section titled “Pitfalls”- Don’t role-check at one layer only — RLS + middleware + UI all enforce.
- Don’t invent ad-hoc roles in app code — the 10 are the contract.
Cross-references
Section titled “Cross-references”- UTM — the tenancy structure roles operate within