Skip to main content

Team Roles & Permissions

Teams use a full RBAC (role-based access control) system. Every team member is assigned a role, and each role grants a specific set of permissions that control what the member can do within the team.

Default roles

Every new team is created with three roles:

RoleTypePermissionsDescription
OwnerSystem (cannot be deleted)All 18Full team access. Assigned to the team creator.
AdminDefault15Manage extensions and team members. Cannot edit team settings, manage payouts, or remove members.
MemberDefault7View and develop extensions. Read-only access to members, secrets, and settings.

Permission reference

There are 18 permissions across 7 categories:

Extensions

PermissionKeyOwnerAdminMember
Create extensionsteam-extensions:createYesYesYes
Edit extensionsteam-extensions:editYesYesYes
Delete extensionsteam-extensions:deleteYesYes--
Publish extensionsteam-extensions:publishYesYes--
View analyticsteam-extensions:analyticsYesYesYes

Versions

PermissionKeyOwnerAdminMember
Create versionsteam-versions:createYesYesYes
Edit versionsteam-versions:editYesYes--

Secrets

PermissionKeyOwnerAdminMember
Read secretsteam-secrets:readYesYesYes
Edit secretsteam-secrets:editYesYes--

Testers

PermissionKeyOwnerAdminMember
Manage testersteam-testers:manageYesYes--

Members

PermissionKeyOwnerAdminMember
Read member listteam-members:readYesYesYes
Invite membersteam-members:inviteYesYes--
Edit member rolesteam-members:editYesYes--
Remove membersteam-members:removeYes----

Settings

PermissionKeyOwnerAdminMember
Read settingsteam-settings:readYesYesYes
Edit settingsteam-settings:editYes----

Payouts

PermissionKeyOwnerAdminMember
Read payout infoteam-payouts:readYesYes--
Edit payout configteam-payouts:editYes----

Creating custom roles

In addition to the three default roles, team owners and members with team-settings:edit permission can create custom roles:

  1. Navigate to Dashboard > Extensions > Teams > {team} > Roles
  2. Click Create Role
  3. Enter a name and optional description
  4. Choose a color for the role badge
  5. Select the permissions to grant
  6. Save the role

Custom roles appear in the role list and can be assigned to team members via the members page or when creating invite links.

Editing a custom role

Click a custom role from the roles list to edit its name, description, color, or permissions. Changes take effect immediately for all members assigned to that role.

Deleting a custom role

Custom roles (where is_system is false) can be deleted. Members assigned to a deleted role are reassigned to the default Member role. The system Owner role cannot be deleted or modified.

Permission enforcement

Permissions are enforced at the API level. Both the GraphQL and REST APIs check team permissions before executing any team-scoped operation. If a member lacks the required permission, the request is rejected with an authorization error.

The dashboard UI also respects permissions -- buttons and menu items for actions the current user cannot perform are hidden or disabled.

Next steps