# Permissions Permissions define what an authenticated user, service, team, or integration is allowed to do inside AeThex. <div class="docs-section-heading"> <h2>Authorization layer</h2> <p>Authentication answers who someone is. Permissions answer what they can access.</p> </div> Permissions should be evaluated after [[Authentication]] and inside the relevant [[Organizations]], [[Teams]], or [[Projects]] context. A user may have different access depending on which organization or project they are acting within. ## Permission concepts - Roles: named sets of access rules. - Scopes: API-level capabilities granted to tokens or integrations. - Ownership: direct control over a resource. - Team membership: inherited access through [[Teams]]. - Administrative override: powerful access that should be logged and limited. ## Safe defaults 1. Deny by default. 2. Grant the smallest useful role. 3. Separate read, write, admin, and billing/security privileges. 4. Audit sensitive permission changes. 5. Revoke access when users leave teams or organizations. <div class="docs-grid"> <a class="docs-card" href="/Authentication">Authentication</a> <a class="docs-card" href="/Teams">Teams</a> <a class="docs-card" href="/Security-Model">Security Model</a> <a class="docs-card" href="/Policies">Policies</a> </div>