All Docs
FeaturesCalmony Sanctions MonitorUpdated March 12, 2026

Role-Based Access Control: Admin Route Authorization

Role-Based Access Control: Admin Route Authorization

Overview

The platform enforces role-based access control (RBAC) through the src/lib/rbac.ts module. As of v0.1.148, all API routes that perform cross-user or admin-only operations are consistently gated behind admin role checks, satisfying the SOC 2 control SOC2-04.

Roles

RoleDescription
userStandard compliance team member. Can screen individuals and view own results.
adminElevated privileges. Can view all users' data and trigger system-wide operations.

Enforcement Helpers (src/lib/rbac.ts)

requireRole(authCtx, role)

Asserts that the authenticated user holds the specified role. If the check fails, the function throws a 403 Forbidden error immediately, preventing the handler from proceeding.

import { requireRole } from '@/lib/rbac';

export async function GET(req: Request) {
  const authCtx = await getAuthContext(req);
  requireRole(authCtx, 'admin'); // throws 403 if not admin

  // ... admin-only logic
}

getAdminAuthContext() (added in v0.1.148)

A convenience helper that combines auth context retrieval and admin role enforcement in a single call. Use this at the top of any handler that must be restricted to admins.

import { getAdminAuthContext } from '@/lib/rbac';

export async function POST(req: Request) {
  const authCtx = await getAdminAuthContext(req); // throws 403 if not admin

  // ... admin-only logic
}

isAdmin(authCtx)

Returns a boolean indicating whether the current user holds the admin role. Useful for conditional rendering or non-throwing checks.

import { isAdmin } from '@/lib/rbac';

if (!isAdmin(authCtx)) {
  return Response.json({ error: 'Forbidden' }, { status: 403 });
}

Admin-Only Operations

The following operations require the admin role and are gated accordingly:

  • View all users' screening data — Listing or querying screening results across all users in the organisation.
  • Trigger system-wide rescreens — Initiating a rescreen of all monitored entities across the platform (e.g. post-OFSI list update).
  • User management — Creating, updating, or deactivating user accounts.

SOC 2 Compliance Note

This implementation directly addresses SOC 2 control SOC2-04 (Logical Access Controls — Role-Based Access). All admin-privileged API route handlers call either requireRole(authCtx, 'admin') or getAdminAuthContext() as their first operation, ensuring no privileged action can be reached by an unauthenticated or non-admin caller.