You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Scope. Switch policies from Account.admin_id checks to the permission intersection check, ship the role-change endpoint, and add the data-integrity invariants.
Acceptance criteria
Central authorization helper body switched from Account.admin_id check to required_perm ∈ implied(scopes) ∩ permissions(role).
Finance policies (transactions, payouts, wallets, disputes) switched to permission check.
PATCH /v1/organizations/{id}/members/{user_id} shipped, gated by members:set_role. Body accepts admin and member; owner rejected.
Owner-non-removable invariant shipped.
Admin-capability invariant shipped (zero users in role ∈ {owner, admin} is rejected).
Members API response includes role field; is_admin becomes a derived alias for role ∈ {owner, admin}.
PayoutAccount.admin_id policy untouched.
Pre-deploy verification (gating the deploy): every Account.admin_id user has the owner role; exactly one owner per org; every org has admin capability.
Scope. Switch policies from
Account.admin_idchecks to the permission intersection check, ship the role-change endpoint, and add the data-integrity invariants.Acceptance criteria
Account.admin_idcheck torequired_perm ∈ implied(scopes) ∩ permissions(role).PATCH /v1/organizations/{id}/members/{user_id}shipped, gated bymembers:set_role. Body acceptsadminandmember;ownerrejected.role ∈ {owner, admin}is rejected).rolefield;is_adminbecomes a derived alias forrole ∈ {owner, admin}.PayoutAccount.admin_idpolicy untouched.Account.admin_iduser has theownerrole; exactly one owner per org; every org has admin capability.References. RFC §Phase 3, parent #6646. Depends on #11399.