Knogin
[Developers]

Persona Permission Bundles

Onboarding twelve new analysts to a joint task force means provisioning twelve user accounts with the right roles, permissions, and feature access, correctly, consistently, and quickly. Doing it manually for each account

Back to All Modules
Category: ModulesLast Updated: Apr 2, 2026
modulescompliance

Overview#

Onboarding twelve new analysts to a joint task force means provisioning twelve user accounts with the right roles, permissions, and feature access, correctly, consistently, and quickly. Doing it manually for each account introduces configuration drift: one analyst gets the evidence review permission, another does not, and the discrepancy is only discovered when something fails at a critical moment. Persona Permission Bundles solve this by packaging the complete access profile for a job function into a single selection. Assign the Intelligence Analyst persona and every required role, permission, and feature flag domain is applied in one action.

The module provides one-click user provisioning through predefined bundles validated for common operational roles. It ships with seven default personas and supports custom persona creation for organisation-specific requirements.

Key Features#

  • Default Persona Library: Seven built-in personas cover the most common operational roles: Intelligence Analyst, Case Manager, Evidence Reviewer, Platform Administrator, Viewer, Field Responder, and Surveillance Operator. Each includes a curated set of roles, granular permissions, and feature flag domains validated for that job function.

  • Custom Persona Creation: Administrators create organisation-specific personas with custom combinations of roles, permissions, and feature flag domains. Custom personas are scoped to the creating tenant and do not affect other organisations. Only platform administrators can modify default personas.

  • Apply Modes: When applying a persona, administrators choose between replace mode and union mode. Replace completely overwrites the user's current configuration with the persona's profile. Union merges the persona's roles and permissions with the user's existing access, useful for granting additional capabilities without removing current access.

  • Feature Flag Domain Provisioning: Personas include feature flag domains applied automatically through the feature flag service when the persona is activated. Users gain access to the correct platform capabilities without separate feature flag configuration.

  • Privilege Escalation Guards: Non-platform administrators are blocked from applying personas that contain privileged roles such as superuser, knogin_admin, si_admin, or internal_service, or the admin:full-access permission. Cross-tenant persona application is restricted to platform administrators only.

  • Audit Trail: Every persona application generates an audit log entry recording who applied the persona, which user received it, which persona was used, and the apply mode selected.

Use Cases#

  • New Employee Onboarding: Apply the appropriate persona to a new user account in a single action, granting the complete set of roles, permissions, and feature access for their job function without manual configuration.
  • Role Transitions: When a user changes job functions, apply the new persona in replace mode to cleanly transition their access profile from one role to another.
  • Temporary Capability Grants: Use union mode to temporarily add capabilities from a specialist persona such as Evidence Reviewer to a user who normally operates under a different profile.
  • Standardised Access Profiles: Ensure all users performing the same function have identical access configurations by provisioning through a shared persona rather than individual manual setup.

Integration#

The Persona module integrates with the RBAC system for role and permission assignment, the feature flag service for domain-level feature provisioning, and the audit logging pipeline for compliance tracking. Persona management is available through the admin user interface and through the REST API for automated provisioning workflows.

Open Standards#

  • Role-Based Access Control (RBAC): The module is built directly on an RBAC catalogue; every persona packages a curated set of named roles and fine-grained permissions that are applied atomically to a user account, following the flat and hierarchical RBAC model as described in NIST RBAC literature.
  • SCIM 2.0 (RFC 7643 / RFC 7644): The platform's identity provisioning integration implements System for Cross-domain Identity Management 2.0 schemas and REST endpoints, allowing persona-driven user provisioning to interoperate with SCIM-compliant directories and identity providers.
  • OAuth 2.0 (RFC 6749) with JSON Web Tokens (RFC 7519): All persona management and application endpoints are protected via Bearer token authorisation; the JWT payload carries the caller's roles and organisation context used to enforce privilege escalation guards.
  • OpenAPI 3.x (OAS 3): The persona REST endpoints are served through a FastAPI application that exposes a machine-readable OpenAPI 3 schema, enabling automated provisioning tooling to discover and call the API without hand-written documentation.
  • GraphQL (June 2018 specification): The admin portal consumes persona and user data through a Strawberry-backed GraphQL API, keeping persona application accessible via the same typed query interface used by the broader admin dashboard.
  • OWASP Application Security Verification Standard (ASVS) v4: Audit trail entries produced on every persona application satisfy ASVS V16 tamper-evident logging controls; re-authentication requirements for sensitive operations align with ASVS V3.5.1.
  • NIST SP 800-63B (Digital Identity Guidelines): Credential and privilege rules applied through personas follow NIST SP 800-63B guidance; the explicit block on non-platform-admins assigning superuser roles implements least-privilege principles from that framework.

Last Reviewed: 2026-04-02 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.