Skip to main content
Documentation Navigation:
This page provides comprehensive permission matrices for all predefined roles in FlowX 5.0. Use this as a reference when planning access control strategies.

​
How to use this reference

1

Identify the role level

Determine whether you need organization, workspace, or project-level access
2

Find the appropriate role

Review the role descriptions and select the one matching your requirements
3

Verify permissions

Check the detailed permission matrix to ensure it meets your needs
4

Implement access control

Assign roles according to the principle of least privilege

​
Permission legend

The permission matrices use the following symbols:
SymbolMeaning
βœ…Permission is assigned
❌Permission is not assigned
⬜Permission is not available for this context

​
Organization level permissions

​
Organization admin permission matrix

The org_admin role has the following permissions:
ResourceReadEditCreateDeleteAdminComments
Organizationβ¬œβœ…β¬œβ¬œβ¬œOrganization settings management
Workspacesβœ…βœ…βœ…βœ…βœ…Complete workspace lifecycle control
Usersβœ…βœ…βœ…βœ…β¬œOrganization user management
Groupsβœ…βœ…βœ…βœ…β¬œUser group management

Organization Admin Role Constraints

Management Rules:
  • Cannot be edited, duplicated, or deleted
  • Can only be assigned in the Organization admin space
  • Hidden from workspace role lists
  • Cannot be assigned at workspace level
  • Must be assigned to at least one user during initial setup

​
Workspace level permissions

​
Workspace admin permission matrix

The workspace_admin role has the following permissions:
ResourceReadEditCreateAdminDeleteComments
Projects & librariesβ¬œβ¬œβœ…βœ…β¬œCan create projects and has admin rights on projects/libraries in the workspace (even without being given explicit access)
Fontsβœ…βœ…βœ…β¬œβœ…Can see all Fonts available for the workspace but is not allowed to edit or add new ones
Global media libraryβœ…βœ…βœ…β¬œβœ…Can add new Global media files as well as edit/delete all Global media files available for the workspace
Themesβœ…βœ…βœ…β¬œβœ…Can add new themes as well as edit/delete all themes available for the workspace
Workspace audit logsβœ…β¬œβ¬œβ¬œβ¬œCan see and filter all audit logs for that workspace
AI modelsβœ…βœ…β¬œβ¬œβ¬œGated by wks_ai_models_read / wks_ai_models_edit. Controls workspace-level AI model assignments (defaults, fallbacks) per workspace type.

Workspace Admin Role Constraints

Management Rules:
  • Cannot be edited or deleted (predefined role)
  • Listed in workspace role management interfaces
  • Can be assigned to users/groups within the workspace
  • Can be assigned when granting access to workspace
  • Cannot manage organization-wide settings

​
Workspace user permission matrix

The workspace_user role has the following permissions:
ResourceReadEditCreateAdminDeleteComments
Projects & librariesβ¬œβ¬œβœ…β¬œβ¬œCan create projects, can edit and see projects/libraries they are given explicit access to or where they are owners. See Project level permissions for more details.
Fontsβœ…β¬œβ¬œβ¬œβ¬œCan see all Fonts available for the workspace but is not allowed to edit or add new ones
Global media libraryβœ…β¬œβ¬œβ¬œβ¬œIs able to view all global media files, but is not allowed to edit or add new files
Themesβœ…β¬œβ¬œβ¬œβ¬œCan see all Themes available for the workspace but is not allowed to edit or add new ones
Workspace audit logsβœ…β¬œβ¬œβ¬œβ¬œCan see and filter all audit logs for that workspace

Workspace User Role Constraints

Management Rules:
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Default role for most workspace members
  • Can be assigned when granting access to workspace
  • Limited administrative capabilities

​
Theme editor permission matrix

The theme_editor role extends workspace_user with additional permissions:
ResourceReadEditCreateDeleteComments
Fontsβœ…βœ…βœ…βœ…Can see all Fonts available for the workspace but is not allowed to edit or add new ones
Global media libraryβœ…βœ…βœ…βœ…Can add new Global media files as well as edit/delete all Global media files available for the workspace
Themesβœ…βœ…βœ…βœ…Can add new themes as well as edit/delete all themes available for the workspace

Theme Editor Role Constraints

Management Rules:
  • Same base constraints as workspace_user
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Specialized role for UI/UX designers and brand managers

​
Workspace runtime editor permission matrix

The workspace_runtime_editor role extends workspace_user with additional permissions:
ResourceReadEditCreateDeleteComments
Workspace buildsβœ…β¬œβœ…β¬œCan create a build for any project/library, as well as see and run all builds within the workspace
Workspace active policyβœ…βœ…β¬œβ¬œCan add a new active policy override as well as see and edit the active policy and its overrides on all projects/libraries in the workspace
Scheduled processesβœ…βœ…β¬œβœ…Can see all scheduled processes on all projects/libraries in the workspace as well as enable/disable them
Configuration parameters overridesβœ…βœ…βœ…βœ…Can add new configuration parameters overrides as well as see all overrides on all projects/libraries in the workspace
Process instancesβœ…βœ…β¬œβ¬œCan see and filter all process instances on all projects/libraries in the workspace
Tasksβœ…β¬œβ¬œβ¬œCan see and filter all tasks available for them on all projects/libraries in the workspace
Operationsβœ…βœ…βœ…βœ…Can create, view, edit, and delete all operations within the workspace (migration & move token)
Process variablesβ¬œβœ…β¬œβ¬œCan edit process variables on all projects/libraries in the workspace

Runtime Editor Role Constraints

Management Rules:
  • Same base constraints as workspace_user
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Specialized role for DevOps and runtime environment administrators

​
Workspace operations editor permission matrix

The workspace_operations_editor role extends workspace_user with additional permissions:
ResourceReadEditCreateDeleteComments
Process instancesβœ…βœ…β¬œβ¬œCan see and filter all process instances on all projects/libraries in the workspace
Operationsβœ…βœ…βœ…βœ…Can create, view, edit, and delete all operations within the workspace (migration & move token)
Process variablesβ¬œβœ…β¬œβ¬œCan edit process variables on all projects/libraries in the workspace

Operations Editor Role Constraints

Management Rules:
  • Same base constraints as workspace_user
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Specialized role for operations management (process migration & token operations)

​
Project level permissions

​
Project owner permission matrix

The project_owner role has the following permissions:
ResourceReadEditCreateDeleteAdmin/OwnerComments
Projects & Librariesβœ…βœ…β¬œβœ…βœ…Has admin rights on all projects/libraries in the workspace he is the owner of

Project Owner Role Constraints

Management Rules:
  • System-managed role, cannot be edited or deleted
  • Automatically assigned to user who creates project
  • Hidden from role selection interfaces
  • Cannot be manually assigned through UI
  • Permanent assignment for project lifecycle
  • Can be transferred to another user (ownership transfer)

​
Project editor permission matrix

The project_editor role has the following permissions:
ResourceReadEditCreateDeleteComments
Projects & Librariesβœ…βœ…β¬œβŒCan read and edit any project for which they are a project_editor

Project Editor Role Constraints

Management Rules:
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Can be assigned to users/groups when granting project access
  • Standard role for project team members
  • No ownership rights (cannot grant/revoke project access)

​
Project viewer permission matrix

The project_viewer role has the following permissions:
ResourceReadEditCreateDeleteComments
Projects & Librariesβœ…β¬œβ¬œβŒRead-only access to project and library information

Project Viewer Role Constraints

Management Rules:
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Can be assigned to users/groups when granting project access
  • Safe role for stakeholders needing visibility
  • No modification capabilities
  • Can test processes and workflows through the interface

​
Role comparison matrix

​
Quick reference: All roles compared

Permission Categoryorg_adminworkspace_adminworkspace_usertheme_editorruntime_editoroperations_editorproject_ownerproject_editorproject_viewer
Workspace Management
Create workspaceβœ…βŒβŒβŒβŒβŒβŒβŒβŒ
Manage workspace usersβœ…βœ…βŒβŒβŒβŒβŒβŒβŒ
Create projectsβœ…βœ…βœ…βœ…βœ…βœ…N/AN/AN/A
Theme & Media
Edit themesβœ…βœ…βŒβœ…βŒβŒN/AN/AN/A
Manage fontsβœ…βœ…βŒβœ…βŒβŒN/AN/AN/A
Edit media libraryβœ…βœ…βŒβœ…βŒβŒN/AN/AN/A
Runtime Management
Create buildsβœ…βœ…βŒβŒβœ…βŒβœ…βœ…βŒ
Edit active policyβœ…βœ…βŒβŒβœ…βŒβœ…βœ…βŒ
Manage config parametersβœ…βœ…βŒβŒβœ…βŒβœ…βœ…βŒ
Operations Management
Manage operationsβœ…βœ…βŒβŒβœ…βœ…N/AN/AN/A
Edit process instancesβœ…βœ…βœ…βŒβœ…βœ…N/AN/AN/A
Edit process variablesβœ…βœ…βœ…βŒβœ…βœ…N/AN/AN/A
Project Configuration
Edit processesβœ…βœ…*βœ…*βœ…*βœ…*βœ…*βœ…βœ…βŒ
Manage templatesβœ…βœ…*βœ…*βœ…*βœ…*βœ…*βœ…βœ…βŒ
Configure integrationsβœ…βœ…*βœ…*βœ…*βœ…*βœ…*βœ…βœ…βŒ
Access Control
Grant project accessβœ…βœ…βŒβŒβŒβŒβœ…βŒβŒ
Manage workspace accessβœ…βœ…βŒβŒβŒβŒβŒβŒβŒ
* Workspace-level roles can only edit project resources for projects they have been explicitly granted access to. Having a workspace role does not automatically grant access to all projects.

​
Detailed capability breakdown

​
Organization-level capabilities

Capabilityorg_adminNotes
Workspace Operations
Create new workspacesβœ…No limit on number of workspaces
Edit workspace settingsβœ…Can modify any workspace configuration
Delete workspacesβœ…Permanent deletion with confirmation
View all workspacesβœ…Unrestricted visibility
User Management
Add organization usersβœ…Can invite users to organization
Remove organization usersβœ…Can revoke organization access
Assign organization rolesβœ…Can grant org_admin to other users
View all user accessβœ…Cross-workspace user visibility
System Management
Configure organization settingsβœ…Organization-wide policies
Manage global font resourcesβœ…Fonts available to all workspaces
Configure out of office policiesβœ…Organization-level OOO rules
Monitoring
View all audit logsβœ…Organization and workspace level
Monitor platform statusβœ…System health across organization
Access environment information⚠️Deprecated in 5.7.0. Configure Environment Info UI removed.

​
Workspace-level capabilities

Capabilityworkspace_adminworkspace_usertheme_editorruntime_editoroperations_editorNotes
Project Management
Create projects/librariesβœ…βœ…βœ…βœ…βœ…All workspace users can create
View all workspace projectsβœ…βŒβŒβŒβŒOnly admin sees all projects
Admin access to all projectsβœ…βŒβŒβŒβŒAdmin has implicit access
User & Access Management
Add workspace usersβœ…βŒβŒβŒβŒAdmin only
Remove workspace usersβœ…βŒβŒβŒβŒAdmin only
Create/manage groupsβœ…βŒβŒβŒβŒAdmin only
Assign workspace rolesβœ…βŒβŒβŒβŒAdmin only
Design & Branding
Create themesβœ…βŒβœ…βŒβŒAdmin and theme editor
Edit themesβœ…βŒβœ…βŒβŒAdmin and theme editor
Delete themesβœ…βŒβœ…βŒβŒAdmin and theme editor
Manage fontsβœ…βŒβœ…βŒβŒAdmin and theme editor
Manage media libraryβœ…βŒβœ…βŒβŒAdmin and theme editor
Runtime Operations
Create buildsβœ…βŒβŒβœ…βŒAdmin and runtime editor
Edit active policiesβœ…βŒβŒβœ…βŒAdmin and runtime editor
Manage scheduled processesβœ…βŒβŒβœ…βŒAdmin and runtime editor
Manage config param overridesβœ…βŒβŒβœ…βŒAdmin and runtime editor
Operations Management
Edit process instancesβœ…βœ…βŒβœ…βœ…Admin, user, runtime, and operations editor
Edit process variablesβœ…βœ…βŒβœ…βœ…Admin, user, runtime, and operations editor
Manage operationsβœ…βŒβŒβœ…βœ…Admin, runtime, and operations editor
Create operationsβœ…βœ…βŒβœ…βœ…Admin, user, runtime, and operations editor

​
Project-level capabilities

Capabilityproject_ownerproject_editorproject_viewerNotes
Access Control
Grant project accessβœ…βŒβŒOwner only
Revoke project accessβœ…βŒβŒOwner only
Transfer project ownershipβœ…βŒβŒOwner can transfer
Project Administration
Delete projectβœ…βŒβŒOwner only (permanent)
Edit project settingsβœ…βœ…βŒOwner and editor
Archive projectβœ…βŒβŒOwner only
Process Design
Create processesβœ…βœ…βŒOwner and editor
Edit processesβœ…βœ…βŒOwner and editor
Delete processesβœ…βœ…βŒOwner and editor
View processesβœ…βœ…βœ…All roles can view
Test processesβœ…βœ…βœ…All roles can test
Configuration
Manage enumerationsβœ…βœ…βŒOwner and editor
Configure templatesβœ…βœ…βŒOwner and editor
Set up integrationsβœ…βœ…βŒOwner and editor
Manage workflowsβœ…βœ…βŒOwner and editor
Configure UI componentsβœ…βœ…βŒOwner and editor
Runtime
Create buildsβœ…βœ…βŒOwner and editor
Manage active policiesβœ…βœ…βŒOwner and editor
View runtime statusβœ…βœ…βœ…All roles
Export & Audit
Export projectβœ…βœ…βŒOwner and editor
View audit logsβœ…βœ…βœ…All roles

​
Permission inheritance patterns

​
Workspace to project inheritance

Understanding how workspace roles interact with project roles is critical for proper access management.
Key Principles:
  1. Workspace roles DO NOT automatically grant project access
    • A user with workspace_admin still needs explicit project role to access specific projects
    • Exception: workspace_admin can grant themselves access via admin privileges
    • Exception: Users with projects_admin permission (included in workspace_admin) automatically receive project_owner capabilities on all projects in that workspace
  2. Project roles are additive to workspace permissions
    • User can have workspace_user + project_editor on specific project
    • Permissions combine (union), not override
  3. Most permissive permission wins
    • If user has project_viewer via one group and project_editor via another, they get editor access
  4. Multiple workspace roles can be assigned simultaneously
    • Users can combine workspace roles for specialized access patterns
    • Example: A user can be both theme_editor and runtime_editor in the same workspace
    • Permissions from all assigned roles combine (union), enabling flexible role compositions
Examples: 
Scenario 1: Workspace User Creates Project
- User role: workspace_user
- Action: Creates new project "Project X"
- Result: User automatically becomes project_owner of "Project X"

Scenario 2: Workspace Admin Needs Project Access
- User role: workspace_admin
- Action: Wants to edit "Project Y" (not owner)
- Required: Must be granted project_editor or project_owner role on "Project Y"
- Note: Admin can grant themselves this access via admin privileges

Scenario 3: Multiple Role Assignments
- User role: workspace_user
- Project roles: project_viewer on "Project A", project_editor on "Project B"
- Result: Read-only access to Project A, full edit access to Project B

Scenario 4: Mix and Match Roles (Development Environment)
- User roles: theme_editor + runtime_editor
- Context: Development/QA environments where designers and developers need combined access
- Combined capabilities:
  - Full theme management (fonts, media library, theme creation/editing) from theme_editor
  - Runtime operations (create builds, edit policies, manage scheduled processes, config parameters) from runtime_editor
  - Base workspace capabilities (create projects, view workspace resources) from workspace_user inheritance
- Use case: UI/UX developers working in dev environments who need both design and deployment capabilities

Scenario 5: Operations Editor Role
- User role: operations_editor
- Context: Users who need to manage process operations without full runtime access
- Capabilities:
  - Full operations management (migration & move token) across the workspace
  - Edit process instances and process variables
  - Base workspace capabilities (create projects, view workspace resources) from workspace_user inheritance
- Use case: Support engineers or operations teams managing process migrations and token movements

​
Group-based permission inheritance

Group Membership Resolution:
  1. User’s permissions = Union of (individual permissions + all group permissions)
  2. More permissive permission always wins
  3. No negative permissions (cannot restrict via groups)
Example: 
User: John
- Individual: project_viewer on Project X
- Group A membership: project_editor on Project X
- Group B membership: workspace_runtime_editor

Result:
- Project X access: project_editor (more permissive than viewer)
- Workspace: workspace_runtime_editor capabilities
- Combined: Full project editing + runtime management

​
Special permission features

​
Read-only view behavior

Read-Only Mode Characteristics

When a user has read-only permissions (e.g., project_viewer role), they experience:Visible but Disabled:
  • All configuration elements visible but not editable
  • Save buttons hidden or disabled
  • Edit controls grayed out or absent
  • Delete actions not available
Available Functionality:
  • Export operations (where applicable)
  • Audit log access
  • Usage overview and tracking
  • Copy operations to other projects/libraries (for reference)
  • Process and workflow testing through interface
UI Indicators:
  • β€œView” label instead of β€œConfigure” in contextual menus
  • Read-only badges or indicators
  • No modification prompts or warnings

​
Bulk permission selection

When configuring custom roles (future feature), bulk selection simplifies permission assignment.
Bulk Selection Categories:
CategoryApplies ToSelectable Operations
Workspace EntitiesProjects, Themes, Fonts, Media, Audit LogsRead, Edit, Create, Delete
Access ManagementUsers, Groups, Roles, Platform StatusRead, Edit, Create, Delete
Runtime PermissionsBuilds, Policies, Processes, Config ParamsRead, Edit, Create, Delete
Project ConfigurationAll project resourcesRead, Edit, Create, Delete
How Bulk Selection Works:
  1. Select permission category (e.g., β€œWorkspace Entities”)
  2. Choose operation level (e.g., β€œRead”)
  3. All resources in category receive selected permission
  4. Individual permissions can be adjusted afterward
  5. Saves time when creating roles with consistent patterns

​
Permission dependencies

Auto-Included Permissions

Certain permissions automatically include others to ensure functionality:Workspace Level:
  • Any workspace permission β†’ automatically includes workspace_read
  • Any workspace edit permission β†’ should include workspace_edit
Project Level:
  • Any project permission β†’ automatically includes project_read (backend)
  • Note: project_read not displayed in UI but sent to backend
Rationale: Read permissions provide the foundation for all other operations. Without read access, users cannot see resources to edit, create, or delete them.

Workspaces Access Rights

Overview of FlowX workspace access rights and role hierarchy

Permission Reference Guide

Technical implementation details, UI mappings, and naming conventions

Role Selection Guide

Practical guidance for choosing and assigning appropriate roles

Access Management Overview

Overview of authentication and authorization in FlowX

Configuring IAM Solution

Setting up identity and access management with Keycloak

Workspaces

Understanding workspaces and organizing projects
Last modified on May 7, 2026