RBAC: invite flow role picker via OrgMemberInvite.rbacRoleId (TRI-8892)

Adds a Role `<Select>` to the invite form. Dropdown options are
filtered by:

  1. The inviter's own role — strictly below their level (Owner can
     pick any of the 4; Admin can pick Developer or Member; Developer/
     Member don't see the picker because they can't invite anyway).
  2. The org's plan tier — `rbac.getAssignableRoleIds(orgId)` already
     reflects this (Free/Hobby = Owner+Admin only, Pro+ unlocks
     Developer+Member).

The picker is hidden entirely when `rbac.allRoles(orgId)` returns []
(OSS deployments with no plugin installed) — legacy invite path is
unchanged for self-hosters.

Schema: nullable `OrgMemberInvite.rbacRoleId text` column. On accept,
if it's set, `acceptInvite` calls the plugin's `setUserRole` after
the OrgMember insert (outside the Prisma transaction since the plugin
uses a separate Drizzle / postgres-js connection — same compensating
pattern as PAT-role assignment). If it's null, the runtime fallback
derives a role from the legacy `OrgMember.role` write at first
auth — no behaviour change.

Server-side validation in the action layer rejects:

  - rbacRoleId not in `getAssignableRoleIds(orgId)` (plan-tier check).
  - rbacRoleId at or above the inviter's own level (the
    canInviteAtRole ladder).

Legacy `OrgMemberInvite.role` enum (ADMIN/MEMBER) is still written
based on the chosen RBAC role — Owner/Admin → "ADMIN", Developer/
Member → "MEMBER" — so OSS auth keeps working.

Verified:
  - typecheck clean
  - 162/162 OSS e2e.full
  - 7/7 cloud enterprise e2e.full

Author: matt-aitken

.server-changes/rbac-invite-role-picker.md

@@ -0,0 +1,18 @@
+---
+area: webapp
+type: feature
+---
+
+RBAC: invite flow now lets the inviter pick the new member's role.
+The dropdown is filtered to roles the inviter is allowed to assign
+(strictly below their own level — Owner > Admin > Developer > Member)
+and gated by the org's plan tier (so Free/Hobby see Owner+Admin, Pro+
+unlocks Developer+Member). With no RBAC plugin installed the picker
+is hidden entirely and the legacy invite flow is unchanged.
+
+Schema: new nullable `OrgMemberInvite.rbacRoleId text` column. Legacy
+`role` enum stays untouched and is set to ADMIN or MEMBER based on
+the chosen RBAC role for OSS-side auth compatibility. On accept, when
+`rbacRoleId` is non-null the plugin's `setUserRole` is called after
+the OrgMember insert; otherwise the runtime fallback derives the role
+from the legacy `role` field.

apps/webapp/app/models/member.server.ts

@@ -2,6 +2,7 @@ import { type Prisma, prisma } from "~/db.server";
 import { createEnvironment } from "./organization.server";
 import { customAlphabet } from "nanoid";
 import { logger } from "~/services/logger.server";
+import { rbac, SYSTEM_ROLE_IDS } from "~/services/rbac.server";
 
 const tokenValueLength = 40;
 const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
@@ -87,10 +88,23 @@ export async function inviteMembers({
   slug,
   emails,
   userId,
+  rbacRoleId,
 }: {
   slug: string;
   emails: string[];
   userId: string;
+  /**
+   * Optional RBAC role to attach to the invite. When set, accepted
+   * invites trigger `rbac.setUserRole(rbacRoleId)` after the OrgMember
+   * is created. Caller is responsible for verifying this role is
+   * assignable by the inviter (level + plan tier) — the action layer
+   * does that check before reaching here.
+   *
+   * Legacy `OrgMemberInvite.role` is still set for OSS compatibility.
+   * Owner/Admin RBAC ids map to the legacy `ADMIN`; anything else maps
+   * to legacy `MEMBER`.
+   */
+  rbacRoleId?: string | null;
 }) {
   const org = await prisma.organization.findFirst({
     where: { slug, members: { some: { userId } } },
@@ -100,14 +114,24 @@ export async function inviteMembers({
     throw new Error("User does not have access to this organization");
   }
 
+  // The legacy enum is the source of truth for OSS auth — keep it in
+  // sync with the chosen RBAC role so self-hosters who never install
+  // the plugin still get sensible permissions.
+  const legacyRole: "ADMIN" | "MEMBER" =
+    rbacRoleId === SYSTEM_ROLE_IDS.owner ||
+    rbacRoleId === SYSTEM_ROLE_IDS.admin
+      ? "ADMIN"
+      : "MEMBER";
+
   const invites = [...new Set(emails)].map(
     (email) =>
       ({
         email,
         token: tokenGenerator(),
         organizationId: org.id,
         inviterId: userId,
-        role: "MEMBER",
+        role: legacyRole,
+        rbacRoleId: rbacRoleId ?? null,
       } satisfies Prisma.OrgMemberInviteCreateManyInput)
   );
 
@@ -212,15 +236,33 @@ export async function acceptInvite({
       remainingInvites,
       organization: invite.organization,
       inviteRole: invite.role,
+      rbacRoleId: invite.rbacRoleId,
     };
   });
 
-  // No upfront RBAC UserRole insert — the loaded RBAC plugin (if any)
-  // is responsible for deriving the new member's role from the legacy
-  // OrgMember.role write inside the transaction above (ADMIN → Owner,
-  // MEMBER → Admin) until an Owner explicitly changes their role on
-  // the Teams page. Keeps the invite path tight and consistent with
-  // the create-org path's behaviour.
+  // If the invite carried an explicit RBAC role (the inviter picked one
+  // when sending the invite), assign it now. Outside the Prisma
+  // transaction because the RBAC plugin runs against a separate
+  // postgres-js connection. Errors are logged, not fatal: the runtime
+  // fallback derives a role from the legacy OrgMember.role write
+  // above, so the user keeps working.
+  //
+  // No rbacRoleId → legacy behaviour, fallback covers it.
+  if (result.rbacRoleId) {
+    const roleResult = await rbac.setUserRole({
+      userId: user.id,
+      organizationId: result.organization.id,
+      roleId: result.rbacRoleId,
+    });
+    if (!roleResult.ok) {
+      logger.debug("acceptInvite: skipped RBAC role assignment", {
+        organizationId: result.organization.id,
+        userId: user.id,
+        rbacRoleId: result.rbacRoleId,
+        reason: roleResult.error,
+      });
+    }
+  }
 
   return { remainingInvites: result.remainingInvites, organization: result.organization };
 }

apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx

@@ -25,13 +25,15 @@ import { Input } from "~/components/primitives/Input";
 import { InputGroup } from "~/components/primitives/InputGroup";
 import { Label } from "~/components/primitives/Label";
 import { Paragraph } from "~/components/primitives/Paragraph";
+import { Select, SelectItem } from "~/components/primitives/Select";
 import { $replica } from "~/db.server";
 import { env } from "~/env.server";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { inviteMembers } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
 import { TeamPresenter } from "~/presenters/TeamPresenter.server";
 import { scheduleEmail } from "~/services/email.server";
+import { rbac, SYSTEM_ROLE_IDS } from "~/services/rbac.server";
 import { requireUserId } from "~/services/session.server";
 import { acceptInvitePath, organizationTeamPath, v3BillingPath } from "~/utils/pathBuilder";
 import { PurchaseSeatsModal } from "../_app.orgs.$organizationSlug.settings.team/route";
@@ -63,9 +65,52 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
     throw new Response("Not Found", { status: 404 });
   }
 
-  return typedjson(result);
+  // Inviter's own role drives the "below their level" filter on the
+  // dropdown. Plus assignable role IDs already encode the org's plan
+  // tier — the intersection is what we offer.
+  const [inviterRole, assignableRoleIds] = await Promise.all([
+    rbac.getUserRole({ userId, organizationId: organization.id }),
+    rbac.getAssignableRoleIds(organization.id),
+  ]);
+
+  return typedjson({ ...result, inviterRoleId: inviterRole?.id ?? null, assignableRoleIds });
+};
+
+// Sentinel for "no RBAC role attached to invite" — the runtime
+// fallback will derive a role from the legacy OrgMember.role write at
+// accept time. Used when the org has no RBAC plugin installed (the
+// dropdown is hidden) or as a defensive default.
+const NO_RBAC_ROLE = "__no_rbac_role__";
+
+// Owner > Admin > Developer > Member. An inviter can only assign a
+// role strictly below their own — Owners can pick any of the four,
+// Admins can pick Developer or Member, Developer/Member can't invite
+// at all. Custom roles are out of scope for this rule (TRI-8747's
+// follow-up will handle them).
+const ROLE_LEVEL: Record<string, number> = {
+  [SYSTEM_ROLE_IDS.owner]: 4,
+  [SYSTEM_ROLE_IDS.admin]: 3,
+  [SYSTEM_ROLE_IDS.developer]: 2,
+  [SYSTEM_ROLE_IDS.member]: 1,
 };
 
+function canInviteAtRole(
+  inviterRoleId: string | null,
+  invitedRoleId: string
+): boolean {
+  // No RBAC role on inviter (e.g. the runtime fallback couldn't derive
+  // one) → fall back to the legacy OrgMember.role check the calling
+  // code already enforces. Allow the invite to proceed; the action
+  // would have already failed earlier if the inviter wasn't allowed
+  // to invite at all.
+  if (!inviterRoleId) return true;
+  const inviter = ROLE_LEVEL[inviterRoleId];
+  const invited = ROLE_LEVEL[invitedRoleId];
+  // Custom roles aren't in the level table — refuse.
+  if (inviter === undefined || invited === undefined) return false;
+  return invited < inviter;
+}
+
 const schema = z.object({
   emails: z.preprocess((i) => {
     if (typeof i === "string") return [i];
@@ -80,6 +125,7 @@ const schema = z.object({
 
     return [""];
   }, z.string().email().array().nonempty("At least one email is required")),
+  rbacRoleId: z.string().optional(),
 });
 
 export const action: ActionFunction = async ({ request, params }) => {
@@ -94,11 +140,49 @@ export const action: ActionFunction = async ({ request, params }) => {
     return json(submission);
   }
 
+  // Resolve the RBAC role choice. NO_RBAC_ROLE / undefined / unknown
+  // role → don't pass one through; the runtime fallback handles it.
+  // Validation: the chosen role must be in the org's assignable set
+  // (which already enforces plan-tier gating + inviter's level).
+  let resolvedRbacRoleId: string | null = null;
+  const submittedRbacRoleId = submission.value.rbacRoleId;
+  if (
+    submittedRbacRoleId &&
+    submittedRbacRoleId !== NO_RBAC_ROLE
+  ) {
+    const org = await $replica.organization.findFirst({
+      where: { slug: organizationSlug },
+      select: { id: true },
+    });
+    if (!org) {
+      return json({ errors: { body: "Organization not found" } }, { status: 404 });
+    }
+    const [inviterRole, assignableRoleIds] = await Promise.all([
+      rbac.getUserRole({ userId, organizationId: org.id }),
+      rbac.getAssignableRoleIds(org.id),
+    ]);
+    const assignable = new Set(assignableRoleIds);
+    if (!assignable.has(submittedRbacRoleId)) {
+      return json(
+        { errors: { body: "You can't invite someone with this role on your current plan" } },
+        { status: 400 }
+      );
+    }
+    if (!canInviteAtRole(inviterRole?.id ?? null, submittedRbacRoleId)) {
+      return json(
+        { errors: { body: "You can only invite members at or below your own role" } },
+        { status: 403 }
+      );
+    }
+    resolvedRbacRoleId = submittedRbacRoleId;
+  }
+
   try {
     const invites = await inviteMembers({
       slug: organizationSlug,
       emails: submission.value.emails,
       userId,
+      rbacRoleId: resolvedRbacRoleId,
     });
 
     for (const invite of invites) {
@@ -128,12 +212,38 @@ export const action: ActionFunction = async ({ request, params }) => {
 };
 
 export default function Page() {
-  const { limits, canPurchaseSeats, seatPricing, extraSeats, maxSeatQuota, planSeatLimit } =
-    useTypedLoaderData<typeof loader>();
+  const {
+    limits,
+    canPurchaseSeats,
+    seatPricing,
+    extraSeats,
+    maxSeatQuota,
+    planSeatLimit,
+    roles,
+    inviterRoleId,
+    assignableRoleIds,
+  } = useTypedLoaderData<typeof loader>();
   const [total, setTotal] = useState(limits.used);
   const organization = useOrganization();
   const lastSubmission = useActionData();
 
+  // Filter the role catalogue down to what THIS inviter can actually
+  // assign — intersection of (assignable on this plan) and (strictly
+  // below inviter's level). With no plugin installed, roles is [] and
+  // we hide the whole picker.
+  const assignable = new Set(assignableRoleIds);
+  const offerable = roles.filter(
+    (r) => assignable.has(r.id) && canInviteAtRole(inviterRoleId, r.id)
+  );
+  const showRolePicker = offerable.length > 0;
+
+  // Default to Member when offered (or the lowest-tier offered role).
+  const defaultRoleId = showRolePicker
+    ? offerable.find((r) => r.id === SYSTEM_ROLE_IDS.member)?.id ??
+      offerable[offerable.length - 1].id
+    : NO_RBAC_ROLE;
+  const [selectedRoleId, setSelectedRoleId] = useState(defaultRoleId);
+
   const [form, { emails }] = useForm({
     id: "invite-members",
     // TODO: type this
@@ -232,6 +342,36 @@ export default function Page() {
                 </Fragment>
               ))}
             </InputGroup>
+            {showRolePicker ? (
+              <InputGroup>
+                <Label htmlFor="rbacRoleId">Role</Label>
+                <input type="hidden" name="rbacRoleId" value={selectedRoleId} />
+                <Select<string, (typeof offerable)[number]>
+                  defaultValue={defaultRoleId}
+                  items={offerable}
+                  variant="tertiary/medium"
+                  dropdownIcon
+                  text={(v) =>
+                    offerable.find((r) => r.id === v)?.name ?? "Pick a role"
+                  }
+                  setValue={(next) => {
+                    if (typeof next === "string") setSelectedRoleId(next);
+                  }}
+                >
+                  {(items) =>
+                    items.map((role) => (
+                      <SelectItem key={role.id} value={role.id}>
+                        {role.name}
+                      </SelectItem>
+                    ))
+                  }
+                </Select>
+                <Paragraph variant="extra-small" className="text-text-dimmed">
+                  Invitees join with this role. They can be promoted later
+                  from the Team page.
+                </Paragraph>
+              </InputGroup>
+            ) : null}
             <FormButtons
               confirmButton={
                 <Button type="submit" variant={"primary/small"} disabled={total > limits.limit}>

internal-packages/database/prisma/migrations/20260430140000_add_rbac_role_id_to_org_member_invite/migration.sql

@@ -0,0 +1,5 @@
+-- TRI-8892: optional RBAC role assignment carried on the invite. When
+-- set, the accept-invite flow calls the loaded RBAC plugin's
+-- setUserRole(rbacRoleId) after the OrgMember insert; otherwise the
+-- runtime fallback derives the role from the legacy `role` column.
+ALTER TABLE "OrgMemberInvite" ADD COLUMN IF NOT EXISTS "rbacRoleId" TEXT;

internal-packages/database/prisma/schema.prisma

@@ -265,6 +265,16 @@ model OrgMemberInvite {
   email String
   role  OrgMemberRole @default(MEMBER)
 
+  /// Optional RBAC role to assign on invite acceptance. When set, the
+  /// accept-invite flow calls the loaded RBAC plugin's setUserRole with
+  /// this id after creating the OrgMember. Null = legacy behaviour, the
+  /// runtime fallback derives the role from `role` above.
+  ///
+  /// Plain text (not an FK) — the RBAC plugin's RbacRole table lives on
+  /// a separate schema (Drizzle, not Prisma) so we can't model the FK
+  /// here. Validation happens at write time (action) and read time
+  /// (acceptInvite).
+  rbacRoleId String?
   organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade, onUpdate: Cascade)
   organizationId String