Permissions
RedStick AI uses a role-based permission system with a fixed permission matrix.
Roles#
Every workspace member has one of three roles:
| Role | Description |
|---|---|
| Owner | Full control of the workspace, including billing. The owner role is held by the workspace creator. |
| Admin | All six platform permissions — identical to owner in the permission matrix. Billing-related API routes are restricted to the owner role via a separate role-level guard that is independent of the permission matrix. |
| Member | Limited permissions — can run and view executions. |
Permissions#
6 permissions control access to platform features:
| Permission | Description |
|---|---|
execution:create | Start new agent tasks |
execution:cancel | Stop running tasks |
execution:view | View task history and messages |
project:create | Create new projects |
project:delete | Permanently delete projects |
project:settings | Modify project settings, environment variables, and services |
Permission Matrix#
| Permission | Owner | Admin | Member |
|---|---|---|---|
execution:create | Yes | Yes | Yes |
execution:cancel | Yes | Yes | No |
execution:view | Yes | Yes | Yes |
project:create | Yes | Yes | No |
project:delete | Yes | Yes | No |
project:settings | Yes | Yes | No |
How Permissions Are Enforced#
The permission matrix is fixed — it is the same for every workspace and cannot be customized. The matrix is applied in two places:
- API layer — every relevant endpoint checks the caller's role before executing (e.g.,
POST /api/executionsrequiresexecution:create). - UI layer — buttons, forms, and routes that require a permission are hidden or disabled for roles that lack it.
Owner permissions cannot be modified — owners always have full access.
Managing Roles#
Roles are assigned and changed in the Settings → Team & Billing page:
- Owners can assign or change any non-owner member's role (between
adminandmember). - Admins can invite new members (assigned the
memberrole). Admins cannot change any existing member's role — the role-change UI is restricted to owners, and the API blocks any admin-initiated role assignment that would result in a meaningful change. - The
ownerrole cannot be assigned or transferred — it belongs to the workspace creator. This is enforced both in the UI and at the API level.
Role changes take effect immediately — all active sessions for the affected user are invalidated so the new role applies on their next request.
Troubleshooting#
| Symptom | Likely cause | Resolution |
|---|---|---|
| "You don't have access to create projects." toast | Your role lacks project:create | Contact your workspace owner to be promoted to Admin |
| "You don't have access to project settings." toast followed by redirect | Your role lacks project:settings | You need Admin or Owner role to access project settings |
| Cancel button missing on a running task | Your role lacks execution:cancel | Only Admin and Owner can cancel executions |
| Team & Billing not visible in sidebar | Your role is Member | The Settings group is hidden for members; only admin and owner see it |