Skip to main content
Documentation Navigation:
This guide provides technical reference information for FlowX Designer permissions, including naming conventions, UI element mappings, and implementation details. Use this guide when you need to understand how permissions work at a technical level.

Permission naming conventions

Naming structure

FlowX permissions follow a consistent naming pattern that helps identify scope and purpose:

Scope prefixes

Why some project permissions lack the proj_ prefix:Most project-level configuration resources (processes, workflows, enumerations, etc.) don’t use the proj_ prefix because:
  • Their context is always project-scoped
  • There’s no workspace-level equivalent that would create naming conflicts
  • Shorter names improve readability
The proj_ prefix is used when:
  • A workspace-level equivalent exists (e.g., proj_mediafile_* vs mediafile_* for workspace media)
  • Disambiguation is necessary (e.g., proj_data_type_* for project data model)

Operation suffixes

Special naming cases

When a resource property is named β€œid” or β€œurl” (case insensitive), it must be prefixed with userDefined: to avoid conflicts with system properties.Examples:
  • userDefined:URL - For a custom URL property
  • userDefined:id - For a custom ID field
This applies when working with:
  • Database properties
  • Configuration parameters
  • Custom data model fields
Date Properties are split into multiple permission fields:
Place Properties are split into multiple fields:
These expanded formats provide granular control over complex property types.
Checkbox properties use special string values instead of boolean:
  • __YES__ for checked
  • __NO__ for unchecked
Example:
Number properties must use JavaScript number format, not strings:Correct:
Incorrect:
Substitution tags use the enumeration permission set:
  • enum_read
  • enum_edit
  • enum_create
  • enum_delete
There are no separate substitution_tags_* permissions - enumeration permissions cover both resource types.
AI agent permissions deviate from the standard pattern:
  • Only aiagent_edit exists
  • No separate _read, _create, or _delete permissions
  • The edit permission grants access to all AI agent functionality (developer, analyst, designer)

Permission examples by category

Organization-level permissions are limited. Most administration occurs at workspace level.

Permission-to-UI action mapping

This section shows how permissions control specific UI elements and actions in FlowX Designer. When a user lacks a permission, the corresponding UI element is hidden or disabled.

Understanding UI behavior

Permission Enforcement Rules

Read Permission Behavior:
  • Read permission must be explicitly declared
  • Not automatically implied by other permissions
  • Exception: workspace_read is auto-included with any workspace permission
UI Display Rules:
  • Missing permission = Hidden UI element
  • Read-only permission = View mode with disabled controls
  • No error messages shown for hidden elements

Workspace level permissions

Theme Permissions (theme_*)

When user has only theme_read, the theme page displays in read-only mode with all edit controls disabled.

Project level permissions

Project Permissions (project_*)

project_create is granted at workspace level. Users create projects within their workspace, not within other projects.

Permission dependency rules

Critical Permission Dependencies

Workspace Level:workspace_read - Automatically included when any other workspace permission is granted. Required for basic workspace visibility and validation.workspace_edit - Should be included when granting any workspace edit permission. Provides general workspace modification context.Project Level:project_read - Automatically sent to backend when any project-level permission is selected, even though not displayed in UI as selectable. Required for basic project access validation.Rule: Read permissions establish the foundation for all other permissions on a resource.

Groups technical reference

Understanding how groups work at a technical level helps administrators implement effective access control strategies.

System-managed groups

Everyone in workspace group

Technical Implementation

Display Name: Everyone in workspace (identical for every workspace; the workspace name is not embedded)Identifier: a system-generated UUID (there is no semantic all_users_* identifier)Automatic Behaviors:
  • Created during workspace provisioning by the authorization-system service
  • System-owned β€” cannot be manually modified via UI or API
  • Membership managed through workspace access events
  • Pre-populated in project access grant interfaces
  • Included in user/group search result sets
Use Cases:
  • Default access patterns for new projects
  • Workspace-wide policy application
  • Bulk access management operations
  • Simplified onboarding workflows

Custom group architecture

Group Properties:
  • Unique identifier (UUID)
  • Display name (user-defined)
  • Description (optional)
  • Workspace scope (cannot span workspaces)
  • Member list (user IDs)
  • Role assignments (workspace-level)
Group Membership:
  • Direct user assignments
  • No nested group support
  • Membership changes propagate immediately
  • Audit trail maintained for membership changes

Advanced topics

Permission override scenarios

Scenario: User assigned multiple roles at same levelResolution:
  • Permissions are combined (union)
  • Most permissive permission wins
  • Cannot have conflicting restrictions
Example:
Scenario: Workspace role vs. project roleResolution:
  • Project-level permissions are additive to workspace permissions
  • Workspace role doesn’t auto-grant project access
  • Explicit project access required even with workspace admin role
Example:
Scenario: User has both group-based and individual permissionsResolution:
  • Combine all permissions from all sources
  • More permissive permission wins
  • Individual cannot override to be more restrictive
Example:

Permission caching and propagation

Caching Behavior

Cache Locations:
  • User session cache (browser)
  • Backend permission cache (per user)
  • Database role definitions (persistent)
Cache Invalidation:
  • User logout clears session cache
  • Role changes propagate within 5 minutes
  • Group membership changes immediate
  • Manual cache clear via re-login
Troubleshooting Cache Issues:
  1. User logs out completely
  2. Clear browser cache and cookies
  3. User logs back in
  4. Permissions refresh from database
  5. If still not working, check role assignments

Workspaces Access Rights

Overview of FlowX workspace access rights and role hierarchy

Complete Permissions Matrix

Detailed permission matrices for all FlowX roles

Role Selection Guide

Practical guidance for choosing and assigning roles

Access Management Overview

Overview of FlowX access management system
Last modified on July 2, 2026