Quiverstone
Roadmap
Feedback
Changelog
Back to changelog
Powered by Canny

new

improved

fixed

minor

bug

feature

v1.3.2 — Role Library & Pre-Approved Role Assignment

Role Library
  • Create and reuse roles across resources. Define each access role once in the library — role name, assumption type (Browser Session / Federated Direct / Federated Chained), target External ID, intermediate role ARN for chained assumption, and session naming — then attach it to any Organization or Account.
  • Pre-approved roles for Accounts and Organizations. When adding or editing a resource, pick from the list of roles already in your library instead of filling out the full form. Overrides remain available on the resource itself for one-off exceptions.
  • Consistent role configurations tenant-wide. Every resource that references a library role inherits the same trust boundary — updates to the library role surface everywhere it's used (manual re-apply today, automated propagation in a follow-up).
  • Library-role audit trail. Every assumption of a library-backed role is logged against its source role, so you can trace usage by role and not just by resource.
Group-Based Role Visibility (Pro & Enterprise)
  • Gate role visibility by Group membership. Link a library role to one or more Groups — only members of those Groups see the role in the Assume Role modal on any resource that uses it.
  • Server-enforced at assumption time. The visibility filter applies on both the client and the server, so a role that a user isn't entitled to via Group membership cannot be assumed even via direct API calls.
  • "Hidden roles" hint in the Assume Role modal. When roles are filtered out for the current caller, a non-leaking banner shows the count so the user understands the distinction between "no roles configured" and "you don't have access to the configured roles." Role names and identities are never disclosed.
Security Hardening
  • Server-authoritative role resolution. Target External IDs and intermediate role ARNs are now resolved from the tenant's stored role configuration rather than trusted from client input. Drift between client and server values is logged at the SECURITY level.
  • TeamMembers model lockdown. Direct create / update / delete GraphQL mutations on the - TeamMembers model are disabled. All membership writes now flow through tier-checked Lambdas with sentinel-stamped audit trails.
  • Tighter cross-tenant isolation on intermediate account allowlists and inline role queries. DynamoDB queries are now tenant-scoped at the service boundary rather than relying solely on post-hoc application-level filtering.