Permissions
Permissions define what an authenticated user, service, team, or integration is allowed to do inside AeThex.
Authorization layer
Authentication answers who someone is. Permissions answer what they can access.
Permissions should be evaluated after Authentication and inside the relevant Organizations, Teams, or Projects context. A user may have different access depending on which organization or project they are acting within.
Permission concepts
- Roles: named sets of access rules.
- Scopes: API-level capabilities granted to tokens or integrations.
- Ownership: direct control over a resource.
- Team membership: inherited access through Teams.
- Administrative override: powerful access that should be logged and limited.
Safe defaults
- Deny by default.
- Grant the smallest useful role.
- Separate read, write, admin, and billing/security privileges.
- Audit sensitive permission changes.
- Revoke access when users leave teams or organizations.