Skip to main content
Documentation Navigation:
This page provides comprehensive permission matrices for all predefined roles in FlowX 5.0. Use this as a reference when planning access control strategies.

How to use this reference

1

Identify the role level

Determine whether you need organization, workspace, or project-level access
2

Find the appropriate role

Review the role descriptions and select the one matching your requirements
3

Verify permissions

Check the detailed permission matrix to ensure it meets your needs
4

Implement access control

Assign roles according to the principle of least privilege

Permission legend

The permission matrices use the following symbols:
SymbolMeaning
Permission is assigned
Permission is not assigned
Permission is not available for this context

Organization level permissions

Organization admin permission matrix

The org_admin role has the following permissions:
  • Organization Administration
  • System Management
  • Monitoring & Audit
ResourceReadEditCreateDeleteAdminComments
OrganizationOrganization settings management
WorkspacesComplete workspace lifecycle control
UsersOrganization user management
GroupsUser group management

Organization Admin Role Constraints

Management Rules:
  • Cannot be edited, duplicated, or deleted
  • Can only be assigned in the Organization admin space
  • Hidden from workspace role lists
  • Cannot be assigned at workspace level
  • Must be assigned to at least one user during initial setup

Workspace level permissions

| ✅ | ⬜ | ⬜ | ⬜ | Can see and filter all tasks available on accessible projects/libraries |

Workspace admin permission matrix

The workspace_admin role has the following permissions:
  • Workspace Entities
  • Runtime Entities
  • Access Management
ResourceReadEditCreateAdminDeleteComments
Projects & librariesCreate projects/libraries and admin privs
FontsComplete font resource management
Global media libraryFull media asset management
ThemesComplete theme creation and customization
Workspace audit logsRead-only access to workspace audit

Workspace Admin Role Constraints

Management Rules:
  • Cannot be edited or deleted (predefined role)
  • Listed in workspace role management interfaces
  • Can be assigned to users/groups within the workspace
  • Can be assigned when granting access to workspace
  • Cannot manage organization-wide settings

Workspace user permission matrix

The workspace_user role has the following permissions:
  • Workspace Entities
  • Runtime Entities
  • Access Management
ResourceReadEditCreateAdminDeleteComments
Projects & librariesCan create projects and only sees projects/libraries they are given explicit access to
FontsCan see all Fonts available for the workspace but is not allowed to edit or add new ones
Global media libraryIs able to view all global media files, but is not allowed to edit or add new files
ThemesCan see all Themes available for the workspace but is not allowed to edit or add new ones
Workspace audit logsCan see and filter all audit logs for that workspace

Workspace User Role Constraints

Management Rules:
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Default role for most workspace members
  • Can be assigned when granting access to workspace
  • Limited administrative capabilities

Theme editor permission matrix

The theme_editor role extends workspace_user with additional permissions:
  • Additional Permissions
  • Inherited from workspace_user
ResourceReadEditCreateDeleteComments
FontsFull font management capabilities
Global media libraryComplete media asset management
ThemesFull theme creation and customization

Theme Editor Role Constraints

Management Rules:
  • Same base constraints as workspace_user
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Specialized role for UI/UX designers and brand managers

Workspace runtime editor permission matrix

The workspace_runtime_editor role extends workspace_user with additional permissions:
  • Additional Runtime Permissions
  • Inherited from workspace_user
ResourceReadEditCreateDeleteComments
Workspace buildsCan create builds and view build information
Workspace active policyCan edit active policies and runtime configurations
Scheduled processesFull management of scheduled processes
Configuration parameters overridesComplete control over configuration parameter overrides
Process instancesCan view and edit process instances

Runtime Editor Role Constraints

Management Rules:
  • Same base constraints as workspace_user
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Specialized role for DevOps and runtime environment administrators

Project level permissions

Project owner permission matrix

The project_owner role has the following permissions:
  • Project Administration
  • Configuration Resources
ResourceReadEditCreateDeleteAdmin/OwnerComments
Projects & LibrariesComplete project ownership and governance control

Project Owner Role Constraints

Management Rules:
  • System-managed role, cannot be edited or deleted
  • Automatically assigned to user who creates project
  • Hidden from role selection interfaces
  • Cannot be manually assigned through UI
  • Permanent assignment for project lifecycle
  • Can be transferred to another user (ownership transfer)

Project editor permission matrix

The project_editor role has the following permissions:
  • Project Management
  • Configuration Resources
ResourceReadEditCreateDeleteComments
Projects & LibrariesFull project management except creation (handled at workspace level)

Project Editor Role Constraints

Management Rules:
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Can be assigned to users/groups when granting project access
  • Standard role for project team members
  • No ownership rights (cannot grant/revoke project access)

Project viewer permission matrix

The project_viewer role has the following permissions:
  • Project Access
  • Configuration Resources
ResourceReadEditCreateDeleteComments
Projects & LibrariesRead-only access to project and library information

Project Viewer Role Constraints

Management Rules:
  • Cannot be edited or deleted (predefined role)
  • Can be duplicated to create custom variations (future feature)
  • Can be assigned to users/groups when granting project access
  • Safe role for stakeholders needing visibility
  • No modification capabilities
  • Can test processes and workflows through the interface

Role comparison matrix

Quick reference: All roles compared

Permission Categoryorg_adminworkspace_adminworkspace_usertheme_editorruntime_editorproject_ownerproject_editorproject_viewer
Workspace Management
Create workspace
Manage workspace users
Create projectsN/AN/AN/A
Theme & Media
Edit themesN/AN/AN/A
Manage fontsN/AN/AN/A
Edit media libraryN/AN/AN/A
Runtime Management
Create builds
Edit active policy
Manage config parameters
Project Configuration
Edit processes✅*✅*✅*✅*
Manage templates✅*✅*✅*✅*
Configure integrations✅*✅*✅*✅*
Access Control
Grant project access
Manage workspace access
* Workspace-level roles can only edit project resources for projects they have been explicitly granted access to. Having a workspace role does not automatically grant access to all projects.

Detailed capability breakdown

Organization-level capabilities

Capabilityorg_adminNotes
Workspace Operations
Create new workspacesNo limit on number of workspaces
Edit workspace settingsCan modify any workspace configuration
Delete workspacesPermanent deletion with confirmation
View all workspacesUnrestricted visibility
User Management
Add organization usersCan invite users to organization
Remove organization usersCan revoke organization access
Assign organization rolesCan grant org_admin to other users
View all user accessCross-workspace user visibility
System Management
Configure organization settingsOrganization-wide policies
Manage global font resourcesFonts available to all workspaces
Configure out of office policiesOrganization-level OOO rules
Monitoring
View all audit logsOrganization and workspace level
Monitor platform statusSystem health across organization
Access environment informationConfiguration and deployment details

Workspace-level capabilities

Capabilityworkspace_adminworkspace_usertheme_editorruntime_editorNotes
Project Management
Create projects/librariesAll workspace users can create
View all workspace projectsOnly admin sees all projects
Admin access to all projectsAdmin has implicit access
User & Access Management
Add workspace usersAdmin only
Remove workspace usersAdmin only
Create/manage groupsAdmin only
Assign workspace rolesAdmin only
Design & Branding
Create themesAdmin and theme editor
Edit themesAdmin and theme editor
Delete themesAdmin and theme editor
Manage fontsAdmin and theme editor
Manage media libraryAdmin and theme editor
Runtime Operations
Create buildsAdmin and runtime editor
Edit active policiesAdmin and runtime editor
Manage scheduled processesAdmin and runtime editor
Manage config param overridesAdmin and runtime editor
Edit process instancesAdmin and runtime editor

Project-level capabilities

Capabilityproject_ownerproject_editorproject_viewerNotes
Access Control
Grant project accessOwner only
Revoke project accessOwner only
Transfer project ownershipOwner can transfer
Project Administration
Delete projectOwner only (permanent)
Edit project settingsOwner and editor
Archive projectOwner only
Process Design
Create processesOwner and editor
Edit processesOwner and editor
Delete processesOwner and editor
View processesAll roles can view
Test processesAll roles can test
Configuration
Manage enumerationsOwner and editor
Configure templatesOwner and editor
Set up integrationsOwner and editor
Manage workflowsOwner and editor
Configure UI componentsOwner and editor
Runtime
Create buildsOwner and editor
Manage active policiesOwner and editor
View runtime statusAll roles
Export & Audit
Export projectOwner and editor
View audit logsAll roles

Permission inheritance patterns

Workspace to project inheritance

Understanding how workspace roles interact with project roles is critical for proper access management.
Key Principles:
  1. Workspace roles DO NOT automatically grant project access
    • A user with workspace_admin still needs explicit project role to access specific projects
    • Exception: workspace_admin can grant themselves access via admin privileges
  2. Project roles are additive to workspace permissions
    • User can have workspace_user + project_editor on specific project
    • Permissions combine (union), not override
  3. Most permissive permission wins
    • If user has project_viewer via one group and project_editor via another, they get editor access
  4. Multiple workspace roles can be assigned simultaneously
    • Users can combine workspace roles for specialized access patterns
    • Example: A user can be both theme_editor and runtime_editor in the same workspace
    • Permissions from all assigned roles combine (union), enabling flexible role compositions
Examples: 
Scenario 1: Workspace User Creates Project
- User role: workspace_user
- Action: Creates new project "Project X"
- Result: User automatically becomes project_owner of "Project X"

Scenario 2: Workspace Admin Needs Project Access
- User role: workspace_admin
- Action: Wants to edit "Project Y" (not owner)
- Required: Must be granted project_editor or project_owner role on "Project Y"
- Note: Admin can grant themselves this access via admin privileges

Scenario 3: Multiple Role Assignments
- User role: workspace_user
- Project roles: project_viewer on "Project A", project_editor on "Project B"
- Result: Read-only access to Project A, full edit access to Project B

Scenario 4: Mix and Match Roles (Development Environment)
- User roles: theme_editor + runtime_editor
- Context: Development/QA environments where designers and developers need combined access
- Combined capabilities:
  - Full theme management (fonts, media library, theme creation/editing) from theme_editor
  - Runtime operations (create builds, edit policies, manage scheduled processes, config parameters) from runtime_editor
  - Base workspace capabilities (create projects, view workspace resources) from workspace_user inheritance
- Use case: UI/UX developers working in dev environments who need both design and deployment capabilities

Group-based permission inheritance

Group Membership Resolution:
  1. User’s permissions = Union of (individual permissions + all group permissions)
  2. More permissive permission always wins
  3. No negative permissions (cannot restrict via groups)
Example: 
User: John
- Individual: project_viewer on Project X
- Group A membership: project_editor on Project X
- Group B membership: workspace_runtime_editor

Result:
- Project X access: project_editor (more permissive than viewer)
- Workspace: workspace_runtime_editor capabilities
- Combined: Full project editing + runtime management

Special permission features

Read-only view behavior

Read-Only Mode Characteristics

When a user has read-only permissions (e.g., project_viewer role), they experience:Visible but Disabled:
  • All configuration elements visible but not editable
  • Save buttons hidden or disabled
  • Edit controls grayed out or absent
  • Delete actions not available
Available Functionality:
  • Export operations (where applicable)
  • Audit log access
  • Usage overview and tracking
  • Copy operations to other projects/libraries (for reference)
  • Process and workflow testing through interface
UI Indicators:
  • “View” label instead of “Configure” in contextual menus
  • Read-only badges or indicators
  • No modification prompts or warnings

Bulk permission selection

When configuring custom roles (future feature), bulk selection streamlines permission assignment.
Bulk Selection Categories:
CategoryApplies ToSelectable Operations
Workspace EntitiesProjects, Themes, Fonts, Media, Audit LogsRead, Edit, Create, Delete
Access ManagementUsers, Groups, Roles, Platform StatusRead, Edit, Create, Delete
Runtime PermissionsBuilds, Policies, Processes, Config ParamsRead, Edit, Create, Delete
Project ConfigurationAll project resourcesRead, Edit, Create, Delete
How Bulk Selection Works:
  1. Select permission category (e.g., “Workspace Entities”)
  2. Choose operation level (e.g., “Read”)
  3. All resources in category receive selected permission
  4. Individual permissions can be adjusted afterward
  5. Saves time when creating roles with consistent patterns

Permission dependencies

Auto-Included Permissions

Certain permissions automatically include others to ensure functionality:Workspace Level:
  • Any workspace permission → automatically includes workspace_read
  • Any workspace edit permission → should include workspace_edit
Project Level:
  • Any project permission → automatically includes project_read (backend)
  • Note: project_read not displayed in UI but sent to backend
Rationale: Read permissions provide the foundation for all other operations. Without read access, users cannot see resources to edit, create, or delete them.

Workspaces Access Rights

Overview of FlowX workspace access rights and role hierarchy

Permission Reference Guide

Technical implementation details, UI mappings, and naming conventions

Role Selection Guide

Practical guidance for choosing and assigning appropriate roles

Access Management Overview

Overview of authentication and authorization in FlowX

Configuring IAM Solution

Setting up identity and access management with Keycloak

Workspaces

Understanding workspaces and organizing projects