Created: 2025-12-12
Last Updated: 2026-01-26
Status: Phase 2 (Hard Deprecation) - COMPLETE
Target Removal: Q2 2026
Related Spec: PF-30 (Permissions System V2)
Overview
Thepf_user_roles table is being deprecated in favor of the new Permissions System V2, which uses:
pf_user_role_assignments- User role assignments with site scopingpf_role_permissions- Permission mappings for system and custom rolespf_custom_roles- Organization-defined custom rolespf_module_permissions- Granular permission definitions
Deprecation Timeline
Phase 1: Soft Deprecation (COMPLETE)
Duration: 2025-12-12 - 2025-12-23Phase 2: Hard Deprecation (COMPLETE)
Duration: 2025-12-23 - 2026-01-26
Completed Actions:
- ✅ Removed all
minRolechecks from code - ✅ Removed
hasMinimumRole()usage from components - ✅ All organizations have V2 enabled (mandatory)
- ✅ Removed
usePermissionsV2Enabledhook - ✅ Removed
isV2Enabled()from PermissionService - ✅ Updated documentation to reflect V2 is mandatory
Phase 3: Removal
Duration: After 180 days (Q3 2026)
Action Required:
- Final migration verification
- Archive
pf_user_rolestopf_user_roles_archive - Remove
minRolefrom all navigation item definitions - Clean up V1 compatibility code from codebase
Tables Affected
Migration Checklist
For Developers
Code Changes
- Replace
user.role === 'admin'withuseHasPermission('module.entity.admin') - Replace
hasMinimumRole(role, 'staff')withhasPermission('module.entity.view') - Add
permissionproperty to all navigation items - Update RLS policies to use
pf_has_permission()helper - Remove direct references to
pf_user_rolestable
Navigation Items
- Add
permissionproperty to module nav items - Add
permissionproperty to nav groups - Keep
minRoleas fallback (Phase 1 only) - Test navigation filtering with V2 enabled
Testing
- Update unit tests to mock V2 permission hooks
- Add RLS tests for permission-based policies
- Test navigation visibility for different roles
- Verify custom roles work correctly
For Org Admins
- Enable V2 in Organization Settings → Security → Permissions
- Verify all users can access expected features
- Create custom roles if specialized access needed
- Assign permissions to custom roles
- Review audit logs for permission denials
Rollback Procedure
Quick Rollback (Disable V2) - NO LONGER SUPPORTED
Note: V2 is now mandatory. Rollback to V1 is not supported. Thepermissions_v2_enabled column exists for historical purposes only and is not checked by the application code.
If critical issues arise, contact the Platform Foundation team for assistance.
Full Rollback (Admin Only)
If critical issues require complete rollback:- Delete all
pf_user_role_assignmentsrecords tagged with_migrated_from_v1 - Delete all system role permission mappings from
pf_role_permissions - NOT delete records from the original
pf_user_rolestable (preserved for safety)
Re-Migrate After Rollback
If you need to re-migrate after a rollback:Compatibility Matrix
Code Examples
Before (V1)
After (V2)
Monitoring
Key Metrics to Track
During the deprecation period, monitor:- Permission check latency - V2 should be <50ms
- V1 fallback rate - Should decrease over time
- Permission denial rate - Watch for unexpected increases
- Custom role adoption - Measure V2 feature usage
Telemetry Events
The PermissionService logs the following events:Contact
For questions about this deprecation:- Spec Owner: Platform Foundation Team
- Documentation: See
specs/pf/permissions-v2-migration.md - Rollout Guide: See
specs/pf/permissions-v2-rollout.md