Project roles, permission matrix, token scopes, and access control for teams
Roles & Permissions
Flaggr uses role-based access control (RBAC) at the project level. Each team member is assigned a role that determines what they can do.
Project Roles
| Role | Description |
|---|---|
| Owner | Full control. Can delete the project and transfer ownership. |
| Admin | Manage everything except deleting the project. |
| Member | Create, read, and update flags and services. Cannot manage team or settings. |
| Viewer | Read-only access to flags, services, and audit logs. |
Permission Matrix
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View flags | Yes | Yes | Yes | Yes |
| Create flags | Yes | Yes | Yes | No |
| Update flags | Yes | Yes | Yes | No |
| Toggle flags | Yes | Yes | Yes | No |
| Delete flags | Yes | Yes | No | No |
| View services | Yes | Yes | Yes | Yes |
| Create services | Yes | Yes | Yes | No |
| Delete services | Yes | Yes | No | No |
| View audit logs | Yes | Yes | Yes | Yes |
| View members | Yes | Yes | Yes | Yes |
| Add members | Yes | Yes | No | No |
| Remove members | Yes | Yes | No | No |
| Change roles | Yes | Yes | No | No |
| Manage settings | Yes | Yes | No | No |
| Create tokens | Yes | Yes | No | No |
| Revoke tokens | Yes | Yes | No | No |
| Delete project | Yes | No | No | No |
| Change slug | Yes | No | No | No |
API Token Scopes
API tokens have their own permission model, separate from project roles.
Opaque Token Permissions
Simple boolean flags for each action:
{
"permissions": {
"read": true,
"write": false,
"delete": false
}
}| Permission | Grants |
|---|---|
read | Evaluate flags, list flags, view configurations |
write | Create and update flags, toggle enabled state, manage targeting |
delete | Delete flags |
JWT Token Scopes
More granular OAuth2-style scopes:
| Scope | Grants |
|---|---|
read | Same as opaque read |
write | Same as opaque write |
delete | Same as opaque delete |
manage_settings | Project settings, token management |
manage_members | Add/remove members, change roles |
Always create tokens with the minimum required permissions. SDK evaluation tokens should be read-only. Only CI/CD or admin tools need write access.
Team Management
Inviting Members
Invite users by email. The invitation expires after 7 days.
POST /api/projects/{id}/invitations
{ "email": "alice@example.com", "role": "member" }You cannot invite someone as owner. Ownership can only be transferred through project settings.
Changing Roles
PATCH /api/projects/{id}/members/{memberId}
{ "role": "admin" }Only owners and admins can change roles. You cannot change your own role.
Removing Members
DELETE /api/projects/{id}/members/{memberId}Removing a member revokes their access immediately. Their API tokens remain active until explicitly revoked.
When removing a team member, also revoke any API tokens they created. Tokens don't expire automatically when the creator loses access.
Related
- Authentication & Tokens — Token types and management
- Audit Logging — Track permission changes
- REST API Reference — Team management endpoints