> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Complete roles & permissions matrix
> Detailed permission matrices for all FlowX roles across organization, workspace, and project levels
**Documentation Navigation:**
* [Workspaces Access Rights](/5.9/setup-guides/access-management/workspaces-access-rights) - Role overview and concepts
* **Complete Permissions Matrix** (Current) - Detailed permission specifications
* [Permission Reference Guide](/5.9/setup-guides/access-management/permission-reference-guide) - Technical implementation details
* [Role Selection Guide](/5.9/setup-guides/access-management/role-selection-guide) - Practical scenarios and best practices
This page provides comprehensive permission matrices for all predefined roles in FlowX. Use this as a reference when planning access control strategies.
## How to use this reference
Determine whether you need organization, workspace, or project-level access
Review the role descriptions and select the one matching your requirements
Check the detailed permission matrix to ensure it meets your needs
Assign roles according to the principle of least privilege
## Permission legend
The permission matrices use the following symbols:
| Symbol | Meaning |
| ------ | -------------------------------------------- |
| ✅ | Permission is assigned |
| ❌ | Permission is not assigned |
| ⬜ | Permission is not available for this context |
## Organization level permissions
### Organization admin permission matrix
The `org_admin` role has the following permissions:
| Resource | Read | Edit | Create | Delete | Admin | Comments |
| ------------ | ---- | ---- | ------ | ------ | ----- | ------------------------------------ |
| Organization | ⬜ | ✅ | ⬜ | ⬜ | ⬜ | Organization settings management |
| Workspaces | ✅ | ✅ | ✅ | ✅ | ✅ | Complete workspace lifecycle control |
| Users | ✅ | ✅ | ✅ | ✅ | ⬜ | Organization user management |
| Groups | ✅ | ✅ | ✅ | ✅ | ⬜ | User group management |
| Resource | Read | Edit | Create | Delete | Comments |
| ------------- | ---- | ---- | ------ | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Out of office | ✅ | ✅ | ✅ | ✅ | Out of office policy management |
| Fonts | ✅ | ✅ | ✅ | ✅ | Global font resource management |
| AI providers | ✅ | ✅ | ⬜ | ⬜ | Gated by `org_ai_providers_read` / `org_ai_providers_edit`. Controls the AI Settings nav entry, Model Providers, and Defaults & Fallbacks pages in the organization admin space. |
| Resource | Read | Edit | Create | Delete | Comments |
| --------------- | ---- | ---- | ------ | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Audit logs | ✅ | ❌ | ❌ | ❌ | Read-only access to system audit |
| Platform status | ✅ | ❌ | ❌ | ❌ | System health monitoring |
| Org Env Info | ⚠️ | ⚠️ | ❌ | ❌ | *Deprecated in 5.7.0.* Manual Configure Environment Info form removed; permission retained for backward compatibility but no longer surfaces a UI entry point. |
| Org Audit log | ✅ | ❌ | ❌ | ❌ | Organization-specific audit access |
**Management Rules:**
* Cannot be edited, duplicated, or deleted
* Can only be assigned in the Organization admin space
* Hidden from workspace role lists
* Cannot be assigned at workspace level
* Must be assigned to at least one user during initial setup
## Workspace level permissions
### Workspace admin permission matrix
The `workspace_admin` role has the following permissions:
| Resource | Read | Edit | Create | Admin | Delete | Comments |
| -------------------- | ---- | ---- | ------ | ----- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
| Projects & libraries | ⬜ | ⬜ | ✅ | ✅ | ⬜ | Can create projects and has admin rights on projects/libraries in the workspace (even without being given explicit access) |
| Fonts | ✅ | ✅ | ✅ | ⬜ | ✅ | Can see all Fonts available for the workspace but is not allowed to edit or add new ones |
| Global media library | ✅ | ✅ | ✅ | ⬜ | ✅ | Can add new Global media files as well as edit/delete all Global media files available for the workspace |
| Themes | ✅ | ✅ | ✅ | ⬜ | ✅ | Can add new themes as well as edit/delete all themes available for the workspace |
| Workspace audit logs | ✅ | ⬜ | ⬜ | ⬜ | ⬜ | Can see and filter all audit logs for that workspace |
| AI models | ✅ | ✅ | ⬜ | ⬜ | ⬜ | Gated by `wks_ai_models_read` / `wks_ai_models_edit`. Controls workspace-level AI model assignments (defaults, fallbacks) per workspace type. |
| Resource | Read | Edit | Create | Delete | Comments |
| ---------------------------------- | ---- | ---- | ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------- |
| Workspace builds | ✅ | ⬜ | ✅ | ⬜ | Can create a build for any project/library, as well as see and run all builds within the workspace |
| Workspace active policy | ✅ | ✅ | ⬜ | ⬜ | Can add a new active policy override as well as see and edit the active policy and its overrides on all projects/libraries in the workspace |
| Scheduled processes | ✅ | ✅ | ⬜ | ✅ | Can see all scheduled processes on all projects/libraries in the workspace as well as enable/disable them |
| Configuration parameters overrides | ✅ | ✅ | ✅ | ✅ | Can add new configuration parameters overrides as well as see all overrides on all projects/libraries in the workspace |
| Process instances | ✅ | ✅ | ⬜ | ⬜ | Can see and filter all process instances on all projects/libraries in the workspace |
| Tasks | ✅ | ⬜ | ⬜ | ⬜ | Can see and filter all tasks available for them on all projects/libraries in the workspace |
| Operations | ✅ | ✅ | ✅ | ✅ | Can create, view, edit, and delete all operations within the workspace (migration & move token) |
| Process variables | ⬜ | ✅ | ⬜ | ⬜ | Can edit process variables on all projects/libraries in the workspace |
| Resource | Read | Edit | Create | Delete | Comments |
| --------------------------------- | ---- | ---- | ------ | ------ | ----------------------------------------------------------------------------------------------------------------------- |
| Workspace management | ✅ | ✅ | ⬜ | ⬜ | Permission added so that the user can see the resources he creates or is assigned to |
| Users | ✅ | ✅ | ✅ | ✅ | Can see and modify all users assigned to the workspace, as well as their groups and access within the current workspace |
| Workspace groups | ✅ | ✅ | ✅ | ✅ | Can add new groups as well as edit/delete all groups available for the workspace |
| Workspace roles | ✅ | ✅ | ✅ | ✅ | Complete workspace role management |
| Workspace platform status | ✅ | ⬜ | ⬜ | ⬜ | Can see and export the Platform status details |
| Workspace environment information | ⚠️ | ⬜ | ⬜ | ⬜ | *Deprecated in 5.7.0.* Environment Info UI removed; permission retained for backward compatibility. |
**Management Rules:**
* Cannot be edited or deleted (predefined role)
* Listed in workspace role management interfaces
* Can be assigned to users/groups within the workspace
* Can be assigned when granting access to workspace
* Cannot manage organization-wide settings
### Workspace user permission matrix
The `workspace_user` role has the following permissions:
| Resource | Read | Edit | Create | Admin | Delete | Comments |
| -------------------- | ---- | ---- | ------ | ----- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Projects & libraries | ⬜ | ⬜ | ✅ | ⬜ | ⬜ | Can create projects, can edit and see projects/libraries they are given explicit access to or where they are owners. See [Project level](#project-level-permissions) permissions for more details. |
| Fonts | ✅ | ⬜ | ⬜ | ⬜ | ⬜ | Can see all Fonts available for the workspace but is not allowed to edit or add new ones |
| Global media library | ✅ | ⬜ | ⬜ | ⬜ | ⬜ | Is able to view all global media files, but is not allowed to edit or add new files |
| Themes | ✅ | ⬜ | ⬜ | ⬜ | ⬜ | Can see all Themes available for the workspace but is not allowed to edit or add new ones |
| Workspace audit logs | ✅ | ⬜ | ⬜ | ⬜ | ⬜ | Can see and filter all audit logs for that workspace |
| Resource | Read | Edit | Create | Delete | Comments |
| ---------------------------------- | ---- | ---- | ------ | ------ | ---------------------------------------------------------------------------------------------------------------------- |
| Workspace builds | ✅ | ⬜ | ⬜ | ⬜ | Can see and run all builds on projects/libraries they create or they are given explicit access to |
| Workspace active policy | ✅ | ⬜ | ⬜ | ⬜ | Can see the active policy and its overrides on projects/libraries they create or they are given explicit access to |
| Scheduled processes | ✅ | ⬜ | ⬜ | ⬜ | Can see all scheduled processes on projects/libraries they create or they are given explicit access to |
| Configuration parameters overrides | ✅ | ⬜ | ⬜ | ⬜ | Can see all configuration parameters overrides on projects/libraries they create or they are given explicit access to |
| Process instances | ✅ | ✅ | ⬜ | ⬜ | Can see and filter all process instances on projects/libraries they create or they are given explicit access to |
| Tasks | ✅ | ⬜ | ⬜ | ⬜ | Can see and filter all tasks available for them on projects/libraries they create or they are given explicit access to |
| Operations | ✅ | ⬜ | ✅ | ⬜ | Can create operations and view all operations within the workspace (migration & move token) |
| Process variables | ⬜ | ✅ | ⬜ | ⬜ | Can edit process variables on projects/libraries they create or are given explicit access to |
| Resource | Read | Edit | Create | Delete | Comments |
| --------------------------------- | ---- | ---- | ------ | ------ | ------------------------------------------------------------------------------------------------------------ |
| Workspace management | ✅ | ⬜ | ⬜ | ⬜ | Permission added so that the user can see the resources he creates or is assigned to |
| Users | ✅ | ⬜ | ⬜ | ⬜ | Can see all users assigned to the workspace, as well as their groups and access within the current workspace |
| Workspace groups | ✅ | ⬜ | ⬜ | ⬜ | View workspace groups but can't manage |
| Workspace roles | ✅ | ⬜ | ⬜ | ⬜ | View workspace roles but can't manage |
| Workspace platform status | ✅ | ⬜ | ⬜ | ⬜ | Can see and export the Platform status details |
| Workspace environment information | ⚠️ | ⬜ | ⬜ | ⬜ | *Deprecated in 5.7.0.* Environment Info UI removed; permission retained for backward compatibility. |
**Management Rules:**
* Cannot be edited or deleted (predefined role)
* Can be duplicated to create custom variations (future feature)
* Default role for most workspace members
* Can be assigned when granting access to workspace
* Limited administrative capabilities
### Theme editor permission matrix
The `theme_editor` role extends `workspace_user` with additional permissions:
| Resource | Read | Edit | Create | Delete | Comments |
| -------------------- | ---- | ---- | ------ | ------ | -------------------------------------------------------------------------------------------------------- |
| Fonts | ✅ | ✅ | ✅ | ✅ | Can see all Fonts available for the workspace but is not allowed to edit or add new ones |
| Global media library | ✅ | ✅ | ✅ | ✅ | Can add new Global media files as well as edit/delete all Global media files available for the workspace |
| Themes | ✅ | ✅ | ✅ | ✅ | Can add new themes as well as edit/delete all themes available for the workspace |
All other permissions are inherited from the `workspace_user` role. See the workspace user permission matrix above for complete details.
**Management Rules:**
* Same base constraints as `workspace_user`
* Cannot be edited or deleted (predefined role)
* Can be duplicated to create custom variations (future feature)
* Specialized role for UI/UX designers and brand managers
### Workspace runtime editor permission matrix
The `workspace_runtime_editor` role extends `workspace_user` with additional permissions:
| Resource | Read | Edit | Create | Delete | Comments |
| ---------------------------------- | ---- | ---- | ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------- |
| Workspace builds | ✅ | ⬜ | ✅ | ⬜ | Can create a build for any project/library, as well as see and run all builds within the workspace |
| Workspace active policy | ✅ | ✅ | ⬜ | ⬜ | Can add a new active policy override as well as see and edit the active policy and its overrides on all projects/libraries in the workspace |
| Scheduled processes | ✅ | ✅ | ⬜ | ✅ | Can see all scheduled processes on all projects/libraries in the workspace as well as enable/disable them |
| Configuration parameters overrides | ✅ | ✅ | ✅ | ✅ | Can add new configuration parameters overrides as well as see all overrides on all projects/libraries in the workspace |
| Process instances | ✅ | ✅ | ⬜ | ⬜ | Can see and filter all process instances on all projects/libraries in the workspace |
| Tasks | ✅ | ⬜ | ⬜ | ⬜ | Can see and filter all tasks available for them on all projects/libraries in the workspace |
| Operations | ✅ | ✅ | ✅ | ✅ | Can create, view, edit, and delete all operations within the workspace (migration & move token) |
| Process variables | ⬜ | ✅ | ⬜ | ⬜ | Can edit process variables on all projects/libraries in the workspace |
All other permissions are inherited from the `workspace_user` role. See the workspace user permission matrix above for complete details.
**Management Rules:**
* Same base constraints as `workspace_user`
* Cannot be edited or deleted (predefined role)
* Can be duplicated to create custom variations (future feature)
* Specialized role for DevOps and runtime environment administrators
### Workspace operations editor permission matrix
The `workspace_operations_editor` role extends `workspace_user` with additional permissions:
| Resource | Read | Edit | Create | Delete | Comments |
| ----------------- | ---- | ---- | ------ | ------ | ----------------------------------------------------------------------------------------------- |
| Process instances | ✅ | ✅ | ⬜ | ⬜ | Can see and filter all process instances on all projects/libraries in the workspace |
| Operations | ✅ | ✅ | ✅ | ✅ | Can create, view, edit, and delete all operations within the workspace (migration & move token) |
| Process variables | ⬜ | ✅ | ⬜ | ⬜ | Can edit process variables on all projects/libraries in the workspace |
All other permissions are inherited from the `workspace_user` role. See the workspace user permission matrix above for complete details.
**Management Rules:**
* Same base constraints as `workspace_user`
* Cannot be edited or deleted (predefined role)
* Can be duplicated to create custom variations (future feature)
* Specialized role for operations management (process migration & token operations)
## Project level permissions
### Project owner permission matrix
The `project_owner` role has the following permissions:
| Resource | Read | Edit | Create | Delete | Admin/Owner | Comments |
| -------------------- | ---- | ---- | ------ | ------ | ----------- | ------------------------------------------------------------------------------ |
| Projects & Libraries | ✅ | ✅ | ⬜ | ✅ | ✅ | Has admin rights on all projects/libraries in the workspace he is the owner of |
| Resource | Read | Edit | Create | Delete | Comments |
| ------------------------------------- | ---- | ---- | ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Processes | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Project data model | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Enumerations | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Media library & Document Intelligence | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Notification templates | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Document templates | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Views | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Stages | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Allocation rules | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Data Sources | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Workflow | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Reusable UI | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| UI Flows | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete UI Flows within the project (5.3+) |
| Reusable Business Rules | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Dependencies | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Configuration parameters | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| AI agents | ⬜ | ✅ | ⬜ | ⬜ | Gated by the `aiagent_edit` permission. Controls visibility of config-time agents (AI Assistant, Analyst, Designer, Developer), the AI floating action button, the Chat UI component, and AI actions on BPMN nodes. |
**Management Rules:**
* System-managed role, cannot be edited or deleted
* Automatically assigned to user who creates project
* Hidden from role selection interfaces
* Cannot be manually assigned through UI
* Permanent assignment for project lifecycle
* Can be transferred to another user (ownership transfer)
### Project editor permission matrix
The `project_editor` role has the following permissions:
| Resource | Read | Edit | Create | Delete | Comments |
| -------------------- | ---- | ---- | ------ | ------ | ------------------------------------------------------------------ |
| Projects & Libraries | ✅ | ✅ | ⬜ | ❌ | Can read and edit any project for which they are a project\_editor |
| Resource | Read | Edit | Create | Delete | Comments |
| ------------------------------------- | ---- | ---- | ------ | ------ | ------------------------------------------------------------------------- |
| Processes | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Project data model | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Enumerations | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Media library & Document Intelligence | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Notification templates | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Document templates | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Views | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Stages | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Allocation rules | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Data Sources | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Workflow | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Reusable UI | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| UI Flows | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete UI Flows within the project (5.3+) |
| Reusable Business Rules | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Dependencies | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| Configuration parameters | ✅ | ✅ | ✅ | ✅ | Can create/edit/delete all resources within the project |
| AI agents | ⬜ | ✅ | ⬜ | ⬜ | Gated by the `aiagent_edit` permission. Same surfaces as `project_owner`. |
**Management Rules:**
* Cannot be edited or deleted (predefined role)
* Can be duplicated to create custom variations (future feature)
* Can be assigned to users/groups when granting project access
* Standard role for project team members
* No ownership rights (cannot grant/revoke project access)
### Project viewer permission matrix
The `project_viewer` role has the following permissions:
| Resource | Read | Edit | Create | Delete | Comments |
| -------------------- | ---- | ---- | ------ | ------ | --------------------------------------------------- |
| Projects & Libraries | ✅ | ⬜ | ⬜ | ❌ | Read-only access to project and library information |
| Resource | Read | Edit | Create | Delete | Comments |
| ------------------------------------- | ---- | ---- | ------ | ------ | ------------------------------------------------------------------------------------------------------------- |
| Processes | ✅ | ❌ | ❌ | ❌ | View process definitions and workflows |
| Project data model | ✅ | ❌ | ❌ | ❌ | Read-only access to project data structure |
| Enumerations | ✅ | ❌ | ❌ | ❌ | View enumeration values and data structures |
| Media library & Document Intelligence | ✅ | ❌ | ❌ | ❌ | View media assets and document intelligence configurations |
| Notification templates | ✅ | ❌ | ❌ | ❌ | View notification template configurations |
| Document templates | ✅ | ❌ | ❌ | ❌ | View document template configurations |
| Views | ✅ | ❌ | ❌ | ❌ | View UI configuration definitions |
| Stages | ✅ | ❌ | ❌ | ❌ | View process stage definitions |
| Allocation rules | ✅ | ❌ | ❌ | ❌ | View task and resource allocation rules |
| Data Sources | ✅ | ❌ | ❌ | ❌ | View system integrations and endpoints |
| Workflow | ✅ | ❌ | ❌ | ❌ | View workflow definitions and configurations |
| Reusable UI | ✅ | ❌ | ❌ | ❌ | Read-only UI component access with permission inheritance |
| UI Flows | ✅ | ❌ | ❌ | ❌ | View UI Flows definitions (5.3+) |
| Reusable Business Rules | ✅ | ❌ | ❌ | ❌ | Read-only function component access with permission inheritance |
| Dependencies | ✅ | ❌ | ❌ | ❌ | View project and library dependencies |
| Configuration parameters | ✅ | ❌ | ❌ | ❌ | View project configuration parameters |
| AI agents | ⬜ | ❌ | ⬜ | ⬜ | `aiagent_edit` not granted. No `aiagent_read` exists, so project viewers do not see AI agent surfaces at all. |
**Management Rules:**
* Cannot be edited or deleted (predefined role)
* Can be duplicated to create custom variations (future feature)
* Can be assigned to users/groups when granting project access
* Safe role for stakeholders needing visibility
* No modification capabilities
* Can test processes and workflows through the interface
## Role comparison matrix
### Quick reference: All roles compared
| Permission Category | org\_admin | workspace\_admin | workspace\_user | theme\_editor | runtime\_editor | operations\_editor | project\_owner | project\_editor | project\_viewer |
| ------------------------- | ---------- | ---------------- | --------------- | ------------- | --------------- | ------------------ | -------------- | --------------- | --------------- |
| **Workspace Management** | | | | | | | | | |
| Create workspace | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage workspace users | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Create projects | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | N/A | N/A | N/A |
| **Theme & Media** | | | | | | | | | |
| Edit themes | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | N/A | N/A | N/A |
| Manage fonts | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | N/A | N/A | N/A |
| Edit media library | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | N/A | N/A | N/A |
| **Runtime Management** | | | | | | | | | |
| Create builds | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ |
| Edit active policy | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ |
| Manage config parameters | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ❌ |
| **Operations Management** | | | | | | | | | |
| Manage operations | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | N/A | N/A | N/A |
| Edit process instances | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | N/A | N/A | N/A |
| Edit process variables | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | N/A | N/A | N/A |
| **Project Configuration** | | | | | | | | | |
| Edit processes | ✅ | ✅\* | ✅\* | ✅\* | ✅\* | ✅\* | ✅ | ✅ | ❌ |
| Manage templates | ✅ | ✅\* | ✅\* | ✅\* | ✅\* | ✅\* | ✅ | ✅ | ❌ |
| Configure integrations | ✅ | ✅\* | ✅\* | ✅\* | ✅\* | ✅\* | ✅ | ✅ | ❌ |
| **Access Control** | | | | | | | | | |
| Grant project access | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Manage workspace access | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
\* Workspace-level roles can only edit project resources for projects they have been explicitly granted access to. Having a workspace role does not automatically grant access to all projects.
## Detailed capability breakdown
### Organization-level capabilities
| Capability | org\_admin | Notes |
| -------------------------------- | ---------- | ------------------------------------------------------------- |
| **Workspace Operations** | | |
| Create new workspaces | ✅ | No limit on number of workspaces |
| Edit workspace settings | ✅ | Can modify any workspace configuration |
| Delete workspaces | ✅ | Permanent deletion with confirmation |
| View all workspaces | ✅ | Unrestricted visibility |
| **User Management** | | |
| Add organization users | ✅ | Can invite users to organization |
| Remove organization users | ✅ | Can revoke organization access |
| Assign organization roles | ✅ | Can grant org\_admin to other users |
| View all user access | ✅ | Cross-workspace user visibility |
| **System Management** | | |
| Configure organization settings | ✅ | Organization-wide policies |
| Manage global font resources | ✅ | Fonts available to all workspaces |
| Configure out of office policies | ✅ | Organization-level OOO rules |
| **Monitoring** | | |
| View all audit logs | ✅ | Organization and workspace level |
| Monitor platform status | ✅ | System health across organization |
| Access environment information | ⚠️ | *Deprecated in 5.7.0.* Configure Environment Info UI removed. |
### Workspace-level capabilities
| Capability | workspace\_admin | workspace\_user | theme\_editor | runtime\_editor | operations\_editor | Notes |
| ----------------------------- | ---------------- | --------------- | ------------- | --------------- | ------------------ | ------------------------------------------- |
| **Project Management** | | | | | | |
| Create projects/libraries | ✅ | ✅ | ✅ | ✅ | ✅ | All workspace users can create |
| View all workspace projects | ✅ | ❌ | ❌ | ❌ | ❌ | Only admin sees all projects |
| Admin access to all projects | ✅ | ❌ | ❌ | ❌ | ❌ | Admin has implicit access |
| **User & Access Management** | | | | | | |
| Add workspace users | ✅ | ❌ | ❌ | ❌ | ❌ | Admin only |
| Remove workspace users | ✅ | ❌ | ❌ | ❌ | ❌ | Admin only |
| Create/manage groups | ✅ | ❌ | ❌ | ❌ | ❌ | Admin only |
| Assign workspace roles | ✅ | ❌ | ❌ | ❌ | ❌ | Admin only |
| **Design & Branding** | | | | | | |
| Create themes | ✅ | ❌ | ✅ | ❌ | ❌ | Admin and theme editor |
| Edit themes | ✅ | ❌ | ✅ | ❌ | ❌ | Admin and theme editor |
| Delete themes | ✅ | ❌ | ✅ | ❌ | ❌ | Admin and theme editor |
| Manage fonts | ✅ | ❌ | ✅ | ❌ | ❌ | Admin and theme editor |
| Manage media library | ✅ | ❌ | ✅ | ❌ | ❌ | Admin and theme editor |
| **Runtime Operations** | | | | | | |
| Create builds | ✅ | ❌ | ❌ | ✅ | ❌ | Admin and runtime editor |
| Edit active policies | ✅ | ❌ | ❌ | ✅ | ❌ | Admin and runtime editor |
| Manage scheduled processes | ✅ | ❌ | ❌ | ✅ | ❌ | Admin and runtime editor |
| Manage config param overrides | ✅ | ❌ | ❌ | ✅ | ❌ | Admin and runtime editor |
| **Operations Management** | | | | | | |
| Edit process instances | ✅ | ✅ | ❌ | ✅ | ✅ | Admin, user, runtime, and operations editor |
| Edit process variables | ✅ | ✅ | ❌ | ✅ | ✅ | Admin, user, runtime, and operations editor |
| Manage operations | ✅ | ❌ | ❌ | ✅ | ✅ | Admin, runtime, and operations editor |
| Create operations | ✅ | ✅ | ❌ | ✅ | ✅ | Admin, user, runtime, and operations editor |
### Project-level capabilities
| Capability | project\_owner | project\_editor | project\_viewer | Notes |
| -------------------------- | -------------- | --------------- | --------------- | ---------------------- |
| **Access Control** | | | | |
| Grant project access | ✅ | ❌ | ❌ | Owner only |
| Revoke project access | ✅ | ❌ | ❌ | Owner only |
| Transfer project ownership | ✅ | ❌ | ❌ | Owner can transfer |
| **Project Administration** | | | | |
| Delete project | ✅ | ❌ | ❌ | Owner only (permanent) |
| Edit project settings | ✅ | ✅ | ❌ | Owner and editor |
| Archive project | ✅ | ❌ | ❌ | Owner only |
| **Process Design** | | | | |
| Create processes | ✅ | ✅ | ❌ | Owner and editor |
| Edit processes | ✅ | ✅ | ❌ | Owner and editor |
| Delete processes | ✅ | ✅ | ❌ | Owner and editor |
| View processes | ✅ | ✅ | ✅ | All roles can view |
| Test processes | ✅ | ✅ | ✅ | All roles can test |
| **Configuration** | | | | |
| Manage enumerations | ✅ | ✅ | ❌ | Owner and editor |
| Configure templates | ✅ | ✅ | ❌ | Owner and editor |
| Set up integrations | ✅ | ✅ | ❌ | Owner and editor |
| Manage workflows | ✅ | ✅ | ❌ | Owner and editor |
| Configure UI components | ✅ | ✅ | ❌ | Owner and editor |
| **Runtime** | | | | |
| Create builds | ✅ | ✅ | ❌ | Owner and editor |
| Manage active policies | ✅ | ✅ | ❌ | Owner and editor |
| View runtime status | ✅ | ✅ | ✅ | All roles |
| **Export & Audit** | | | | |
| Export project | ✅ | ✅ | ❌ | Owner and editor |
| View audit logs | ✅ | ✅ | ✅ | All roles |
## Permission inheritance patterns
### Workspace to project inheritance
Understanding how workspace roles interact with project roles is critical for proper access management.
**Key Principles:**
1. **Workspace roles DO NOT automatically grant project access**
* A user with `workspace_admin` still needs explicit project role to access specific projects
* Exception: `workspace_admin` can grant themselves access via admin privileges
* Exception: Users with `projects_admin` permission (included in `workspace_admin`) automatically receive `project_owner` capabilities on all projects in that workspace
2. **Project roles are additive to workspace permissions**
* User can have `workspace_user` + `project_editor` on specific project
* Permissions combine (union), not override
3. **Most permissive permission wins**
* If user has `project_viewer` via one group and `project_editor` via another, they get editor access
4. **Multiple workspace roles can be assigned simultaneously**
* Users can combine workspace roles for specialized access patterns
* Example: A user can be both `theme_editor` and `runtime_editor` in the same workspace
* Permissions from all assigned roles combine (union), enabling flexible role compositions
**Examples:**
```
Scenario 1: Workspace User Creates Project
- User role: workspace_user
- Action: Creates new project "Project X"
- Result: User automatically becomes project_owner of "Project X"
Scenario 2: Workspace Admin Needs Project Access
- User role: workspace_admin
- Action: Wants to edit "Project Y" (not owner)
- Required: Must be granted project_editor or project_owner role on "Project Y"
- Note: Admin can grant themselves this access via admin privileges
Scenario 3: Multiple Role Assignments
- User role: workspace_user
- Project roles: project_viewer on "Project A", project_editor on "Project B"
- Result: Read-only access to Project A, full edit access to Project B
Scenario 4: Mix and Match Roles (Development Environment)
- User roles: theme_editor + runtime_editor
- Context: Development/QA environments where designers and developers need combined access
- Combined capabilities:
- Full theme management (fonts, media library, theme creation/editing) from theme_editor
- Runtime operations (create builds, edit policies, manage scheduled processes, config parameters) from runtime_editor
- Base workspace capabilities (create projects, view workspace resources) from workspace_user inheritance
- Use case: UI/UX developers working in dev environments who need both design and deployment capabilities
Scenario 5: Operations Editor Role
- User role: operations_editor
- Context: Users who need to manage process operations without full runtime access
- Capabilities:
- Full operations management (migration & move token) across the workspace
- Edit process instances and process variables
- Base workspace capabilities (create projects, view workspace resources) from workspace_user inheritance
- Use case: Support engineers or operations teams managing process migrations and token movements
```
### Group-based permission inheritance
**Group Membership Resolution:**
1. User's permissions = Union of (individual permissions + all group permissions)
2. More permissive permission always wins
3. No negative permissions (cannot restrict via groups)
**Example:**
```
User: John
- Individual: project_viewer on Project X
- Group A membership: project_editor on Project X
- Group B membership: workspace_runtime_editor
Result:
- Project X access: project_editor (more permissive than viewer)
- Workspace: workspace_runtime_editor capabilities
- Combined: Full project editing + runtime management
```
## Special permission features
### Read-only view behavior
When a user has read-only permissions (e.g., `project_viewer` role), they experience:
**Visible but Disabled:**
* All configuration elements visible but not editable
* Save buttons hidden or disabled
* Edit controls grayed out or absent
* Delete actions not available
**Available Functionality:**
* Export operations (where applicable)
* Audit log access
* Usage overview and tracking
* Copy operations to other projects/libraries (for reference)
* Process and workflow testing through interface
**UI Indicators:**
* "View" label instead of "Configure" in contextual menus
* Read-only badges or indicators
* No modification prompts or warnings
### Bulk permission selection
When configuring custom roles (future feature), bulk selection simplifies permission assignment.
**Bulk Selection Categories:**
| Category | Applies To | Selectable Operations |
| ------------------------- | ------------------------------------------ | -------------------------- |
| **Workspace Entities** | Projects, Themes, Fonts, Media, Audit Logs | Read, Edit, Create, Delete |
| **Access Management** | Users, Groups, Roles, Platform Status | Read, Edit, Create, Delete |
| **Runtime Permissions** | Builds, Policies, Processes, Config Params | Read, Edit, Create, Delete |
| **Project Configuration** | All project resources | Read, Edit, Create, Delete |
**How Bulk Selection Works:**
1. Select permission category (e.g., "Workspace Entities")
2. Choose operation level (e.g., "Read")
3. All resources in category receive selected permission
4. Individual permissions can be adjusted afterward
5. Saves time when creating roles with consistent patterns
### Permission dependencies
Certain permissions automatically include others to ensure functionality:
**Workspace Level:**
* Any workspace permission → automatically includes `workspace_read`
* Any workspace edit permission → should include `workspace_edit`
**Project Level:**
* Any project permission → automatically includes `project_read` (backend)
* Note: `project_read` not displayed in UI but sent to backend
**Rationale:**
Read permissions provide the foundation for all other operations. Without read access, users cannot see resources to edit, create, or delete them.
## Related documentation
Overview of FlowX workspace access rights and role hierarchy
Technical implementation details, UI mappings, and naming conventions
Practical guidance for choosing and assigning appropriate roles
Overview of authentication and authorization in FlowX
Setting up identity and access management with Keycloak
Understanding workspaces and organizing projects