permission summary show access token person

[adityathebe]

Summary by CodeRabbit

• New Features
  • Permission subjects now include email and owner fields for improved visibility and tracking of access permissions.
  • Person subjects now surface email addresses where available.
  • Added support for an access-token-backed person subject type, enabling owner attribution for token-based access; other subject types will leave these fields empty when not applicable.

[github-actions]

Benchstat (RLS)

Base: 62ca69e74360839a243ebeb68794d88de45a5716
Head: 1b0ed22783ba0693dccc23c05026e5d836bc0e54

📊 4 minor regression(s) (all within 5% threshold)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/config_names/Without_RLS-4	12.90m	13.15m	+1.95%	0.015
RLS/Sample-15000/analyzer_types/Without_RLS-4	3.739m	3.811m	+1.93%	0.002
RLS/Sample-15000/catalog_changes/With_RLS-4	128.7m	130.5m	+1.43%	0.002
RLS/Sample-15000/config_types/With_RLS-4	124.4m	125.6m	+0.93%	0.002

✅ 2 improvement(s)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/catalog_changes/Without_RLS-4	5.483m	5.327m	-2.84%	0.002
RLS/Sample-15000/config_summary/With_RLS-4	750.5m	742.9m	-1.02%	0.002

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                               │ bench-base.txt │          bench-head.txt           │
                                               │     sec/op     │   sec/op     vs base              │
RLS/Sample-15000/catalog_changes/Without_RLS-4      5.483m ± 3%   5.327m ± 2%  -2.84% (p=0.002 n=6)
RLS/Sample-15000/catalog_changes/With_RLS-4         128.7m ± 0%   130.5m ± 0%  +1.43% (p=0.002 n=6)
RLS/Sample-15000/config_changes/Without_RLS-4       5.267m ± 1%   5.247m ± 2%       ~ (p=0.937 n=6)
RLS/Sample-15000/config_changes/With_RLS-4          130.2m ± 1%   130.1m ± 1%       ~ (p=0.937 n=6)
RLS/Sample-15000/config_detail/Without_RLS-4        4.018m ± 4%   4.017m ± 1%       ~ (p=0.937 n=6)
RLS/Sample-15000/config_detail/With_RLS-4           123.9m ± 1%   123.9m ± 0%       ~ (p=1.000 n=6)
RLS/Sample-15000/config_names/Without_RLS-4         12.90m ± 2%   13.15m ± 1%  +1.95% (p=0.015 n=6)
RLS/Sample-15000/config_names/With_RLS-4            125.9m ± 1%   126.2m ± 1%       ~ (p=0.065 n=6)
RLS/Sample-15000/config_summary/Without_RLS-4       62.92m ± 1%   63.33m ± 2%       ~ (p=0.132 n=6)
RLS/Sample-15000/config_summary/With_RLS-4          750.5m ± 0%   742.9m ± 1%  -1.02% (p=0.002 n=6)
RLS/Sample-15000/configs/Without_RLS-4              7.389m ± 3%   7.387m ± 4%       ~ (p=0.818 n=6)
RLS/Sample-15000/configs/With_RLS-4                 125.3m ± 1%   125.3m ± 0%       ~ (p=0.818 n=6)
RLS/Sample-15000/analysis_types/Without_RLS-4       3.910m ± 1%   3.956m ± 2%       ~ (p=0.180 n=6)
RLS/Sample-15000/analysis_types/With_RLS-4          3.940m ± 1%   3.940m ± 4%       ~ (p=0.699 n=6)
RLS/Sample-15000/analyzer_types/Without_RLS-4       3.739m ± 1%   3.811m ± 2%  +1.93% (p=0.002 n=6)
RLS/Sample-15000/analyzer_types/With_RLS-4          3.856m ± 3%   3.795m ± 4%       ~ (p=0.180 n=6)
RLS/Sample-15000/change_types/Without_RLS-4         5.365m ± 2%   5.390m ± 2%       ~ (p=0.699 n=6)
RLS/Sample-15000/change_types/With_RLS-4            5.616m ± 2%   5.416m ± 5%       ~ (p=0.180 n=6)
RLS/Sample-15000/config_classes/Without_RLS-4       3.317m ± 1%   3.307m ± 2%       ~ (p=0.589 n=6)
RLS/Sample-15000/config_classes/With_RLS-4          122.8m ± 1%   123.1m ± 1%       ~ (p=0.180 n=6)
RLS/Sample-15000/config_types/Without_RLS-4         3.970m ± 1%   3.980m ± 1%       ~ (p=0.310 n=6)
RLS/Sample-15000/config_types/With_RLS-4            124.4m ± 0%   125.6m ± 1%  +0.93% (p=0.002 n=6)
geomean                                             19.46m        19.46m       -0.03%

[github-actions]

Benchstat (Other)

Base: 62ca69e74360839a243ebeb68794d88de45a5716
Head: 1b0ed22783ba0693dccc23c05026e5d836bc0e54

✅ 2 improvement(s)

Benchmark	Base	Head	Change	p-value
ResourceSelectorQueryBuild/name_and_type-4	62.97µ	62.12µ	-1.35%	0.004
InsertionForRowsWithAliases/external_users.aliases-4	569.6µ	564.1µ	-0.97%	0.004

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                                       │ bench-base.txt │           bench-head.txt           │
                                                       │     sec/op     │    sec/op     vs base              │
InsertionForRowsWithAliases/external_users.aliases-4       569.6µ ±  1%   564.1µ ±  1%  -0.97% (p=0.004 n=6)
InsertionForRowsWithAliases/config_items.external_id-4     1.081m ± 10%   1.065m ± 12%       ~ (p=1.000 n=6)
ResourceSelectorConfigs/name-4                             203.7µ ±  1%   202.6µ ±  2%       ~ (p=0.394 n=6)
ResourceSelectorConfigs/name_and_type-4                    223.3µ ±  3%   220.3µ ±  3%       ~ (p=0.485 n=6)
ResourceSelectorConfigs/tags-4                             28.94m ±  4%   28.68m ±  6%       ~ (p=0.699 n=6)
ResourceSelectorQueryBuild/name-4                          42.93µ ±  0%   43.02µ ±  2%       ~ (p=1.000 n=6)
ResourceSelectorQueryBuild/name_and_type-4                 62.97µ ±  1%   62.12µ ±  1%  -1.35% (p=0.004 n=6)
ResourceSelectorQueryBuild/tags-4                          16.76µ ±  1%   16.73µ ±  1%       ~ (p=0.729 n=6)
geomean                                                    279.0µ         276.7µ        -0.83%

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6906e603-14a6-48ee-8d8f-169a19dcb893

📥 Commits

Reviewing files that changed from the base of the PR and between 80589f8 and 1b0ed22.

📒 Files selected for processing (1)

• views/046_permission_subjects.sql

🚧 Files skipped from review as they are similar to previous changes (1)

• views/046_permission_subjects.sql

---

Walkthrough

The permission_subjects view adds email and owner columns, standardizes id/name casts to ::TEXT, populates email for person rows, and adds an access_token_person UNION branch that joins people with access_tokens and sets owner from access_tokens.created_by.

Changes

Cohort / File(s)

Summary

Permission Subjects View views/046_permission_subjects.sql

Extended view output with new email and owner columns; standardized id casting to ::TEXT (role id uses r.name::TEXT); replaced ::text string literal casts with uncast literals for type; person branch now sets email = p.email (owner = NULL); added access_token_person UNION branch joining people and access_tokens (filters: p.deleted_at IS NULL, p.type = 'access_token', p.email IS NOT NULL), emitting id = p.id::TEXT, name = access_tokens.name, email = NULL, and owner = access_tokens.created_by::TEXT; other branches set email and owner to NULL.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'permission summary show access token person' clearly describes the main change - adding access token person support to the permission summary view.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/permission-summary-token

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/permission-summary-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

views/046_permission_subjects.sql (1)

35-37: Line 37 seems over-restrictive for this branch.

p.email IS NOT NULL filters rows, but this branch always outputs NULL AS "email" (Line 30). Consider removing the filter unless email presence is an explicit business rule for access_token_person.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@views/046_permission_subjects.sql` around lines 35 - 37, The WHERE clause
currently includes "p.email IS NOT NULL" which conflicts with the branch that
emits "NULL AS \"email\"" for access_token records (p.type = 'access_token');
remove this predicate or make it conditional so it doesn't filter out
access_token rows — e.g., replace the filter with "AND (p.type != 'access_token'
OR p.email IS NOT NULL)" or simply delete "p.email IS NOT NULL" so
access_token_person rows (NULL AS \"email\") are retained; update the WHERE that
references p.type and p.email accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@views/046_permission_subjects.sql`:
- Around line 27-34: The view is using p.id for the subject id which can collide
when a person has multiple access_tokens; change the subject id to use
access_tokens.id (e.g., replace p.id::TEXT AS id with access_tokens.id::TEXT AS
id) so each 'access_token_person' row is uniquely identified by the token's id
while keeping access_tokens.name, 'access_token_person' AS type, NULL AS
"email", and access_tokens.created_by::TEXT AS "owner" and the same INNER JOIN
between people and access_tokens intact.

---

Nitpick comments:
In `@views/046_permission_subjects.sql`:
- Around line 35-37: The WHERE clause currently includes "p.email IS NOT NULL"
which conflicts with the branch that emits "NULL AS \"email\"" for access_token
records (p.type = 'access_token'); remove this predicate or make it conditional
so it doesn't filter out access_token rows — e.g., replace the filter with "AND
(p.type != 'access_token' OR p.email IS NOT NULL)" or simply delete "p.email IS
NOT NULL" so access_token_person rows (NULL AS \"email\") are retained; update
the WHERE that references p.type and p.email accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 917800d6-f0d4-4c31-8992-e3316960eba0

📥 Commits

Reviewing files that changed from the base of the PR and between 2d2d2aa and 6a69b62.

📒 Files selected for processing (1)

• views/046_permission_subjects.sql