PlatformAccess (RBAC)

Access (RBAC)

Roles, assignments, scopes and tokens.

Access control is role-based (RBAC), with scopes that cascade from the workspace down to the spaces.

ConceptDescription
RoleA set of actions (resource.operation). Built-in: Owner, Contributor, Reader. Customizable.
AssignmentBinds a principal (person or token) to a role within a scope.
ScopeWorkspace or space. Assignments inherit top-down.
Check accessShows a principal's effective permissions within a scope, along with the cascade.

Tokens and service principals

  • Personal Access Tokens (PAT) — scoped + roled, always limited to ≤ what the owner can do (intersection, re-checked on every request).
  • Service Principals — organization identities (App ID + secrets/cert), independent of any user — ideal for CI and integrations.
Use Check access to debug permissions: pick the person/token and the scope and see the resulting allow/deny action matrix.