Before you start
This catalog is integration guidance. Backend enforcement is the source of truth for the final permission decision.
Workspace permission groups
| Group | Example permissions | Surface |
|---|---|---|
| Workspace | View and manage projects | Console |
| Authentication | Manage login methods and hosted branding | Console |
| Directory | View, import, block, or unblock users | Console |
| Sessions | View or revoke sessions | Console and runtime admin |
| Analytics | View or export analytics | Console |
| Webhooks | View, manage, and rotate webhook endpoints | Console |
| Audit | View or export audit logs | Console |
| Billing | View or manage billing artifacts | Console |
| Applications | View and manage OAuth/OIDC clients | Console |
| Security | View and manage security posture | Console |
Project runtime permissions
Project roles should describe what a Project Member can do inside your product. Keep built-in viewer available so invite, public join, and register flows always have a safe default.
Implementation steps
- Decide whether the user is operating the console or the runtime product.
- Read the correct authorization surface.
- Hide actions that are not allowed.
- Still handle
403from APIs because permissions can change after render. - Audit role and permission changes.
Troubleshooting
When a user reports missing access, capture Workspace ID, Project ID, environment, membership type, current role, requested action, and trace ID. This usually reveals whether the wrong catalog was checked.
Related docs
- Roles and Permissions:
/docs/concepts/roles-permissions - Member Lifecycle:
/docs/concepts/member-lifecycle - Error Reference:
/docs/reference/errors