This page is part of the AeThex documentation system.
+
Permissions define what an authenticated user, service, team, or integration is allowed to do inside AeThex.
-
> [!NOTE]
-
> This article is a placeholder and should be expanded.
+
<div class="docs-section-heading">
+
<h2>Authorization layer</h2>
+
<p>Authentication answers who someone is. Permissions answer what they can access.</p>
+
</div>
-
{{PageIndex}}
+
Permissions should be evaluated after [[Authentication]] and inside the relevant [[Organizations]], [[Teams]], or [[Projects]] context. A user may have different access depending on which organization or project they are acting within.
+
+
## Permission concepts
+
+
- Roles: named sets of access rules.
+
- Scopes: API-level capabilities granted to tokens or integrations.
+
- Ownership: direct control over a resource.
+
- Team membership: inherited access through [[Teams]].
+
- Administrative override: powerful access that should be logged and limited.
+
+
## Safe defaults
+
+
1. Deny by default.
+
2. Grant the smallest useful role.
+
3. Separate read, write, admin, and billing/security privileges.
+
4. Audit sensitive permission changes.
+
5. Revoke access when users leave teams or organizations.