Authorization#

NMP authorization controls what authenticated users can do. Every API request is evaluated against the user’s token scopes and role bindings before it is allowed.

The authorization model has four building blocks:

  1. Workspaces — the authorization boundary. All resources belong to a workspace.

  2. Roles — permission bundles (Viewer, Editor, Admin) granted per workspace.

  3. Role bindings — the link between a user, a role, and a workspace.

  4. Scopes — token-level restrictions that limit what the token can do, independent of the user’s role.

Request → PDP → Scope check → Role binding check → Allow / Deny

For a request to succeed, both the scope check (does the token allow it?) and the role check (does the user have permission?) must pass.

For the full conceptual background, see Authorization Concepts. For the security architecture, see Security Model.

Key Pages#

Roles & Permissions

Complete permission matrix — what each role can do.

Roles and Permissions
Managing Access

Add users to workspaces, assign roles, manage members.

Managing Access
API Scopes

Token-level scope model and two-layer authorization.

API Scopes
Permissions Reference

Complete list of all permissions with role assignments.

Permissions Reference
Policy Engine

OPA / WASM policy engine internals and configuration.

Policy Engine
On this page