# Permissions

Permissions define what an authenticated user, service, team, or integration is allowed to do inside AeThex.

<div class="docs-section-heading">
  <h2>Authorization layer</h2>
  <p>Authentication answers who someone is. Permissions answer what they can access.</p>
</div>

Permissions should be evaluated after [[Authentication]] and inside the relevant [[Organizations]], [[Teams]], or [[Projects]] context. A user may have different access depending on which organization or project they are acting within.

## Permission concepts

- Roles: named sets of access rules.
- Scopes: API-level capabilities granted to tokens or integrations.
- Ownership: direct control over a resource.
- Team membership: inherited access through [[Teams]].
- Administrative override: powerful access that should be logged and limited.

## Safe defaults

1. Deny by default.
2. Grant the smallest useful role.
3. Separate read, write, admin, and billing/security privileges.
4. Audit sensitive permission changes.
5. Revoke access when users leave teams or organizations.

<div class="docs-grid">
<a class="docs-card" href="/Authentication">Authentication</a>
<a class="docs-card" href="/Teams">Teams</a>
<a class="docs-card" href="/Security-Model">Security Model</a>
<a class="docs-card" href="/Policies">Policies</a>
</div>
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9