Team Roles & Permissions
Teams use a full RBAC (role-based access control) system. Every team member is assigned a role, and each role grants a specific set of permissions that control what the member can do within the team.
Default roles
Every new team is created with three roles:
| Role | Type | Permissions | Description |
|---|---|---|---|
| Owner | System (cannot be deleted) | All 18 | Full team access. Assigned to the team creator. |
| Admin | Default | 15 | Manage extensions and team members. Cannot edit team settings, manage payouts, or remove members. |
| Member | Default | 7 | View and develop extensions. Read-only access to members, secrets, and settings. |
Permission reference
There are 18 permissions across 7 categories:
Extensions
| Permission | Key | Owner | Admin | Member |
|---|---|---|---|---|
| Create extensions | team-extensions:create | Yes | Yes | Yes |
| Edit extensions | team-extensions:edit | Yes | Yes | Yes |
| Delete extensions | team-extensions:delete | Yes | Yes | -- |
| Publish extensions | team-extensions:publish | Yes | Yes | -- |
| View analytics | team-extensions:analytics | Yes | Yes | Yes |
Versions
| Permission | Key | Owner | Admin | Member |
|---|---|---|---|---|
| Create versions | team-versions:create | Yes | Yes | Yes |
| Edit versions | team-versions:edit | Yes | Yes | -- |
Secrets
| Permission | Key | Owner | Admin | Member |
|---|---|---|---|---|
| Read secrets | team-secrets:read | Yes | Yes | Yes |
| Edit secrets | team-secrets:edit | Yes | Yes | -- |
Testers
| Permission | Key | Owner | Admin | Member |
|---|---|---|---|---|
| Manage testers | team-testers:manage | Yes | Yes | -- |
Members
| Permission | Key | Owner | Admin | Member |
|---|---|---|---|---|
| Read member list | team-members:read | Yes | Yes | Yes |
| Invite members | team-members:invite | Yes | Yes | -- |
| Edit member roles | team-members:edit | Yes | Yes | -- |
| Remove members | team-members:remove | Yes | -- | -- |
Settings
| Permission | Key | Owner | Admin | Member |
|---|---|---|---|---|
| Read settings | team-settings:read | Yes | Yes | Yes |
| Edit settings | team-settings:edit | Yes | -- | -- |
Payouts
| Permission | Key | Owner | Admin | Member |
|---|---|---|---|---|
| Read payout info | team-payouts:read | Yes | Yes | -- |
| Edit payout config | team-payouts:edit | Yes | -- | -- |
Creating custom roles
In addition to the three default roles, team owners and members with team-settings:edit permission can create custom roles:
- Navigate to Dashboard > Extensions > Teams > {team} > Roles
- Click Create Role
- Enter a name and optional description
- Choose a color for the role badge
- Select the permissions to grant
- Save the role
Custom roles appear in the role list and can be assigned to team members via the members page or when creating invite links.
Editing a custom role
Click a custom role from the roles list to edit its name, description, color, or permissions. Changes take effect immediately for all members assigned to that role.
Deleting a custom role
Custom roles (where is_system is false) can be deleted. Members assigned to a deleted role are reassigned to the default Member role. The system Owner role cannot be deleted or modified.
Permission enforcement
Permissions are enforced at the API level. Both the GraphQL and REST APIs check team permissions before executing any team-scoped operation. If a member lacks the required permission, the request is rejected with an authorization error.
The dashboard UI also respects permissions -- buttons and menu items for actions the current user cannot perform are hidden or disabled.
Next steps
- Teams Overview -- team creation and management
- Security & API Keys -- manage API keys and 2FA