Roles & Permissions

Flagify uses role-based access control (RBAC) to manage what each workspace member can do. Every member has one role, and roles follow a strict hierarchy.

Roles

Each higher role inherits all permissions from the roles below it.

Permission Matrix

Viewer (read-only)

• View all projects, flags, environments, segments, and members
• View workspace usage and dashboard stats

Member (flag operations)

Everything a Viewer can do, plus:

• Create and update flags
• Toggle flags on/off in any environment
• Set flag variants
• Promote flags between environments
• Configure targeting rules
• Create and update segments

Admin (infrastructure + team)

Everything a Member can do, plus:

• Create and update projects
• Create, update, and delete environments
• Generate and revoke API keys
• Archive flags
• Delete segments
• Update workspace settings (name)
• Add, update, and remove workspace members
• View audit log

Owner (full control)

Everything an Admin can do, plus:

• Transfer workspace ownership
• Delete workspace

Role Assignment Rules

• You cannot assign a role higher than your own (an Admin cannot make someone an Owner)
• You cannot change your own role
• You cannot modify or remove a member with an equal or higher role (unless you are an Owner)

Leaving a Workspace

Any member can leave a workspace at any time using POST /v1/workspaces/:wid/leave, except for the last owner.

API Behavior

• 401 Unauthorized — missing or invalid authentication token
• 403 Forbidden — authenticated but lacking the required permission. The response includes which permission was denied:

{
  "code": "forbidden",
  "message": "role 'viewer' cannot perform 'flag:create'"
}

Audit Trail

Role changes and member removals are recorded in the workspace audit log with full context: who performed the action, the target member, and the old/new role.