#[derive(Scopable)]
{
// Attributes available to this derive:
#[secure]
}
Expand description
Derive macro for implementing ScopableEntity.
Place this on your SeaORM Model struct along with #[secure(...)] attributes.
§Attributes
All four scope dimensions must be explicitly specified:
tenant_col = "column_name"ORno_tenant- Tenant isolation columnresource_col = "column_name"ORno_resource- Primary resource ID columnowner_col = "column_name"ORno_owner- Owner-based filtering columntype_col = "column_name"ORno_type- Type-based filtering columnunrestricted- Mark as global entity (forbids all other attributes)pep_prop(property_name = "column_name")- Custom PEP property mapping (repeatable)
The macro auto-generates resolve_property() from dimension columns and pep_prop entries:
tenant_col→"owner_tenant_id"resource_col→"id"owner_col→"owner_id"- Each
pep_prop(name = "col")→"name"
§Example
ⓘ
#[derive(DeriveEntityModel, Scopable)]
#[sea_orm(table_name = "users")]
#[secure(
tenant_col = "tenant_id",
resource_col = "id",
no_owner,
no_type
)]
pub struct Model {
#[sea_orm(primary_key)]
pub id: Uuid,
pub tenant_id: Uuid,
pub email: String,
}§Custom PEP Properties
Use pep_prop(...) to add custom authorization property mappings beyond the
standard dimension columns:
ⓘ
#[derive(DeriveEntityModel, Scopable)]
#[sea_orm(table_name = "resources")]
#[secure(
tenant_col = "tenant_id",
resource_col = "id",
no_owner,
no_type,
pep_prop(department_id = "department_id"),
)]
pub struct Model {
#[sea_orm(primary_key)]
pub id: Uuid,
pub tenant_id: Uuid,
pub department_id: Uuid,
}§Global Entities
For entities that are not tenant-scoped (global lookup tables, system config, etc.),
use the unrestricted flag:
ⓘ
#[derive(DeriveEntityModel, Scopable)]
#[sea_orm(table_name = "system_config")]
#[secure(unrestricted)]
pub struct Model {
#[sea_orm(primary_key)]
pub id: Uuid,
pub key: String,
pub value: String,
}