Reframe GAC as the granularity layer in roles and permissions docs

[dheeru0198]

Summary

• Reframes the "Two layers: RBAC and GAC" section of the Roles and permissions overview so that GAC is described as the catalog of fine-grained permissions and RBAC as how those permissions get bundled into roles. The previous framing positioned GAC as an "exceptions layer that sits on top" of RBAC, which doesn't match what's actually shipping (the permissions_grant/permissions_deny per-user, per-resource override path has no FE wiring today).
• Cleans up a worked example that referenced "no per-resource grant on the issue," which presumed that override path exists in the user-facing product.
• Removes the claim in permission-schemes.md that scheme combinations need GAC to express "negative overrides." Scheme combination is union-only.

Test plan

• Render the docs locally and read "Roles and permissions" end to end; confirm the new section flows into "What changed from earlier versions" and that the Bob example reads cleanly alongside Carol and Dave.
• Render "Permission schemes" and confirm the "How permissions combine" list still reads as a coherent set of rules.
• Verify no internal links broke.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Rewrote access control model documentation for improved clarity, better defining core concepts and how permission assignment works.
  • Clarified permission scheme combination behavior, explaining that multiple schemes combine additively with no negative overrides.
  • Simplified permission evaluation examples throughout.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Apr 27, 2026 4:34pm

[coderabbitai]

Warning

Rate limit exceeded

@danciaclara has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 38 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b3d518f2-a570-4f70-8ace-6bccba53ceb7

📥 Commits

Reviewing files that changed from the base of the PR and between ab8a51b and 921d44e.

📒 Files selected for processing (1)

• docs/roles-and-permissions/overview.md

📝 Walkthrough

Walkthrough

Documentation in the roles and permissions section was clarified to better distinguish GAC (fine-grained permission catalog) from RBAC (role assignment mechanism). A worked example in the overview was simplified, and permission-scheme combination semantics were explicitly defined as union-only.

Changes

Cohort / File(s)	Summary
Roles and Permissions Documentation docs/roles-and-permissions/overview.md, docs/roles-and-permissions/permission-schemes.md	Reframed GAC and RBAC definitions for clarity; simplified permission evaluation example; explicitly stated permission-combination semantics as union-only with no negative override capability.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hops through docstrings with delight,
GAC and RBAC shine so bright,
Permissions clear as clover fields,
Union-only—no subtraction yields,
A rabbit's path now crystal right! 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title directly and specifically summarizes the main changes: reframing how GAC is presented in the roles and permissions documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/fix-gac-framing-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}