Admin role missing ontology delete permission #181
Description
Summary
The default admin role doesn't have delete permission on ontologies resource, but platform_admin does. This creates a confusing situation where the admin user can't delete ontologies through the CLI without manual permission grants.
Steps to Reproduce
- Fresh
./operator.sh init - Login as admin:
kg login -u admin - Try to delete an ontology:
kg ontology delete "Test" --force - Get:
Permission denied: delete on ontologies
Expected Behavior
The admin role should include delete on ontologies since admins typically manage ontology lifecycle.
Current Workaround
Manually grant the permission via SQL:
INSERT INTO kg_auth.role_permissions (role_name, resource_type, action, scope_type, granted)
VALUES ('admin', 'ontologies', 'delete', 'global', true);Fix
Add this permission to the default role setup in the auth migration or seed script.
Related
- ADR-028 RBAC implementation
- Default role permissions in
schema/migrations/or seed scripts