Permissions

ScaiEcho defines four module-permission keys, mapped onto ScaiGrid's RBAC system. Every endpoint enforces one of them. Biometric capture (speaker enrollment) is deliberately gated separately from generic transcribe access.

Permission keys#

Key	What it grants
`scaiecho:transcribe`	Call batch and streaming STT endpoints, poll async jobs, open WebSocket and WebRTC sessions.
`scaiecho:diarize`	Request speaker-attributed transcripts. Checked at WS open / WebRTC session create when `diarize=true`.
`scaiecho:enroll`	List, read, enroll, update, delete speaker profiles. Biometric data — requires explicit consent capture.
`scaiecho:admin`	Read and update tenant backend policy (allowed backends, default backend).

Default role mapping#

Built-in roles auto-grant these via ScaiGrid's catch-all in CurrentUser.has_module_permission:

Role	Auto-grants
`super_admin`	All of the above.
`partner_admin`	All of the above for tenants under the partner.
`tenant_admin`	All of the above for the tenant.
`tenant_user`	None by default — explicit opt-in.
`tenant_viewer`	`scaiecho:transcribe` only.

tenant_user gets nothing automatically because transcription affects accounting and enrollment is biometric. Both want explicit opt-in via a custom role.

Granting selectively#

A typical custom role for engineers who run pipelines:

bash
curl -X POST "$SCAIGRID_HOST/v1/iam/custom-roles" \
  -H "Authorization: Bearer $SCAIGRID_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Transcription users",
    "module_permissions": ["scaiecho:transcribe", "scaiecho:diarize"]
  }'

A separate "Speaker custodians" role with scaiecho:enroll is usually held by very few people — they're the ones legally responsible for the consent records.

Audit#

Every permission-gated call is logged with actor_user_id, action, resource_id. ScaiGrid's audit log query supports filtering by module = "scaiecho". Speaker deletions additionally write an immutable ErasureAudit row that survives the speaker tombstone.