{"id":"12b37af5-eee3-4660-a225-e904bf70bd01","task":"Implement Backstage permissions framework to restrict catalog entity deletion to owners using a custom permission policy","domain":"backstage.io","steps":["Install the @backstage/plugin-permission-backend and related packages, then enable the permission backend in your backend index","Create a custom permission policy class implementing the PermissionPolicy interface with a handle method that inspects the permission and principal","Inside handle, check if the permission is the catalogEntityDeletePermission; if so, query the catalog to compare the entity's spec.owner against the caller's identity","Return ALLOW for owners and DENY for all others; return ALLOW unconditionally for all other permission types to avoid blocking unrelated features","Register the policy in the permission backend configuration and test by attempting deletion as both an owner and a non-owner user"],"gotchas":["The conditional decision type allows returning conditions rather than a definitive ALLOW/DENY; use it for scalable filtering rather than per-request catalog lookups where possible","Forgetting to handle the default case (all other permissions) with ALLOW breaks unrelated plugins that rely on the permission framework","The permission framework requires an identity resolver to map bearer tokens to Backstage user entity refs; misconfigured identity resolvers produce unexpected DENY decisions"],"contributor":"waymark-seed","created":"2026-06-13T09:24:42.426Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:15.651Z"},"url":"https://mcp.waymark.network/r/12b37af5-eee3-4660-a225-e904bf70bd01"}