Skip to main content

What are Scope Overrides?

Scope overrides let you modify inherited behavior at child scopes without changing the parent. You can enable or disable roles, permissions, or specific role-permission combinations at any level in your hierarchy.

Override Types

Bedrock supports three types of overrides:
TypeWhat it ControlsUse Case
Role OverrideEnable/disable an entire role”Disable Admin role in production”
Permission OverrideEnable/disable a specific permission”Disable delete permission in archives”
Role-Permission OverrideEnable/disable a permission for a specific role”Editors can’t delete in production”

Role Overrides

Disable or re-enable an entire role at a child scope: 
# Disable Admin role in production
curl -X POST 'https://api.example.com/scope-overrides/roles' \
  -H 'Content-Type: application/json' \
  -d '{
    "childScopeId": "scope_production",
    "roleId": "role_admin",
    "state": "disabled"
  }'
When a role is disabled:
  • All permissions from that role are unavailable in the child scope
  • Role assignments still exist but have no effect
  • Child scopes inherit the disabled state

Re-enable at Deeper Level

# Re-enable Admin for a specific service
curl -X POST 'https://api.example.com/scope-overrides/roles' \
  -d '{
    "childScopeId": "scope_critical_service",
    "roleId": "role_admin",
    "state": "enabled"
  }'

Permission Overrides

Disable or re-enable a specific permission at a child scope: 
# Disable delete permission in archived projects
curl -X POST 'https://api.example.com/scope-overrides/permissions' \
  -d '{
    "childScopeId": "scope_archived",
    "permissionId": "perm_delete",
    "state": "disabled"
  }'
When a permission is disabled:
  • No role can grant that permission in the child scope
  • Affects all roles that include this permission
  • Child scopes inherit the disabled state

Role-Permission Overrides

The most granular override—disable a permission for a specific role only: 
# Editors can't delete in production (but Admins still can)
curl -X POST 'https://api.example.com/scope-overrides/role-permissions' \
  -d '{
    "childScopeId": "scope_production",
    "roleId": "role_editor",
    "permissionId": "perm_delete",
    "state": "disabled"
  }'

With Conditions

Add JSON Logic conditions to role-permission overrides: 
# Editors can only delete during business hours
curl -X POST 'https://api.example.com/scope-overrides/role-permissions' \
  -d '{
    "childScopeId": "scope_production",
    "roleId": "role_editor",
    "permissionId": "perm_delete",
    "state": "enabled",
    "condition": {
      "and": [
        {">=": [{"var": "context.time.hour"}, 9]},
        {"<=": [{"var": "context.time.hour"}, 17]}
      ]
    }
  }'

Override Inheritance

Overrides cascade down the scope hierarchy: 
Organization (Admin, Editor, Viewer roles)

    ├── Development
    │   └── (all roles work normally)

    └── Production [Admin role DISABLED]

        ├── Staging
        │   └── (Admin still disabled - inherited)

        └── Critical Service [Admin role ENABLED]
            └── (Admin works here - override)

Override States

StateMeaning
enabledExplicitly enable (override a parent’s disable)
disabledExplicitly disable
(no override)Inherit from parent

Common Patterns

Production Lockdown

# Disable destructive permissions in production
curl -X POST 'https://api.example.com/scope-overrides/permissions/batch' \
  -d '[
    {"childScopeId": "scope_production", "permissionId": "perm_delete", "state": "disabled"},
    {"childScopeId": "scope_production", "permissionId": "perm_drop_table", "state": "disabled"},
    {"childScopeId": "scope_production", "permissionId": "perm_truncate", "state": "disabled"}
  ]'

Agent Restrictions

# Agents have read-only in production
curl -X POST 'https://api.example.com/scope-overrides/role-permissions/batch' \
  -d '[
    {"childScopeId": "scope_production", "roleId": "role_agent", "permissionId": "perm_write", "state": "disabled"},
    {"childScopeId": "scope_production", "roleId": "role_agent", "permissionId": "perm_delete", "state": "disabled"}
  ]'

Temporary Elevated Access

# Enable admin for maintenance window only
curl -X POST 'https://api.example.com/scope-overrides/roles' \
  -d '{
    "childScopeId": "scope_production",
    "roleId": "role_admin",
    "state": "enabled",
    "condition": {
      "and": [
        {">=": [{"var": "context.time.hour"}, 2]},
        {"<=": [{"var": "context.time.hour"}, 4]}
      ]
    }
  }'

Querying Overrides

# Get all role overrides for a scope
curl -X GET 'https://api.example.com/scope-overrides/roles?childScopeId=scope_production'

# Get all permission overrides
curl -X GET 'https://api.example.com/scope-overrides/permissions?childScopeId=scope_production'

# Get all role-permission overrides
curl -X GET 'https://api.example.com/scope-overrides/role-permissions?childScopeId=scope_production'

Removing Overrides

# Remove an override (inherit from parent again)
curl -X DELETE 'https://api.example.com/scope-overrides/roles/override_123'

Best Practices

Prefer role-permission overrides over blanket role or permission disables.
Keep track of why overrides exist—they can be hard to debug later.
Verify that child scopes behave as expected after adding overrides.
Use conditional overrides for time-based or context-based restrictions.

Evaluation

How overrides affect permission evaluation

Conditional Permissions

Add conditions to overrides