PlatformAccess (RBAC)
Access (RBAC)
Roles, assignments, scopes and tokens.
Access control is role-based (RBAC), with scopes that cascade from the workspace down to the spaces.
| Concept | Description |
|---|---|
| Role | A set of actions (resource.operation). Built-in: Owner, Contributor, Reader. Customizable. |
| Assignment | Binds a principal (person or token) to a role within a scope. |
| Scope | Workspace or space. Assignments inherit top-down. |
| Check access | Shows a principal's effective permissions within a scope, along with the cascade. |
Tokens and service principals
- Personal Access Tokens (PAT) — scoped + roled, always limited to ≤ what the owner can do (intersection, re-checked on every request).
- Service Principals — organization identities (App ID + secrets/cert), independent of any user — ideal for CI and integrations.
Use Check access to debug permissions: pick the person/token and the scope and see the resulting allow/deny action matrix.