Scope Permission Designer Skill

Overview

This skill designs and implements OAuth scopes and permission models for APIs, enabling fine-grained access control that maps to business requirements.

Capabilities

• Design scope hierarchies and inheritance
• Implement permission validation in SDK/API
• Generate comprehensive scope documentation
• Support scope-based access control (SBAC)
• Configure scope consent flows
• Implement resource-level permissions
• Design scope grouping and bundles
• Generate scope matrices for documentation

Target Processes

• Authentication and Authorization Patterns
• Developer Portal Implementation
• API Design Specification

Integration Points

• OAuth authorization servers
• Policy engines (OPA, Cedar)
• RBAC/ABAC systems
• API gateway authorization
• Consent management UIs

Input Requirements

• Business requirements for access control
• Resource and action mapping
• Scope naming conventions
• Hierarchy requirements
• Consent flow needs

Output Artifacts

• Scope taxonomy documentation
• Permission validation middleware
• Scope documentation for developers
• Consent UI components
• Scope matrices and mappings
• Admin permission management API

Usage Example

skill:
  name: scope-permission-designer
  context:
    scopeFormat: "resource:action"
    hierarchy:
      admin: ["read", "write", "delete"]
      write: ["read"]
    scopes:
      - users:read
      - users:write
      - users:delete
      - projects:read
      - projects:write
    bundles:
      - name: basic
        scopes: ["users:read", "projects:read"]
      - name: full
        scopes: ["users:*", "projects:*"]

Best Practices

1. Use consistent naming conventions
2. Design scopes around resources and actions
3. Implement scope hierarchies to reduce complexity
4. Document all scopes clearly
5. Provide sensible default scope bundles
6. Support both fine-grained and coarse permissions