Noxus authorization is permission-driven and split between:
- Workspace-level permissions — govern what a user can do inside a specific workspace.
- Organization-level permissions — control cross-workspace and tenant-wide administration.
Workspace-Level Permissions
These permissions are scoped to a workspace and stored as boolean flags on the user’s workspace role.
| Category | Permission key | Description |
|---|
| Flows | flows_edit | Create and edit workflows |
| Flows | flows_delete | Delete workflows |
| Flows | flows_run | Execute workflows |
| Flows | flows_advanced | Advanced workflow features (API deployment, versioning) |
| Agents | agents_edit | Create and edit AI agents |
| Agents | agents_delete | Delete agents |
| Agents | agents_run | Chat with and execute agents |
| Agents | agents_advanced | Advanced agent features |
| Knowledge Bases | kbs_edit | Create, upload, and manage documents |
| Knowledge Bases | kbs_delete | Delete knowledge bases |
| Knowledge Bases | kbs_query | Query and search knowledge bases |
| Knowledge Bases | kbs_advanced | Advanced KB features (ingestion pipelines, etc.) |
| Administration | integrations_edit | Connect and configure external integrations |
| Administration | users_edit | Invite and modify workspace members |
| Administration | users_delete | Remove members from the workspace |
| Administration | workspace_admin | Full workspace administration (settings, roles, API keys) |
workspace_admin cascade behavior
workspace_admin is a superset of the other administration permissions. When a user or API key has workspace_admin, the authorization layer grants:
- Full integrations access (create, read, edit, delete) — equivalent to
integrations_edit plus create/delete.
- Full workspace users access (create, read, edit, delete) — equivalent to
users_edit plus users_delete plus create.
integrations_edit alone grants read and edit on integrations. users_edit alone grants read and edit on workspace members. users_delete alone grants delete on workspace members.
Organization-Level Permissions
These permissions control tenant-wide operations and are checked independently of workspace membership.
| Category | Permission key | Description |
|---|
| Users | users_read | View all users in the organization |
| Users | users_invite | Invite new users to the organization |
| Users | users_edit | Modify user information |
| Users | users_delete | Remove users from the organization |
| Workspaces | workspace_read | View all workspaces |
| Workspaces | workspace_write | Create new workspaces |
| Workspaces | workspace_edit | Modify workspace settings |
| Workspaces | workspace_delete | Delete workspaces |
| Organization | org_read | View organization details |
| Organization | org_edit | Modify organization details |
| Organization | org_billing | Manage billing, subscriptions, and payment methods |
| Organization | org_admin | Full organization admin access |
| Settings | settings_read | View platform settings |
Role Scope
Workspace roles can be global or workspace-scoped:
- Global role (
is_global=true) — applies to every workspace the user belongs to.
- Workspace-scoped role — applies only to the specific workspace the role was created for.
Global roles are created from the Roles → Workspace → All workspaces view. Workspace-scoped roles are created for a specific workspace.
Admin Configuration
Role-to-permission mapping and global authorization policy should be managed from Settings → Roles by users with workspace_admin (for workspace roles) or org_admin (for organization roles).
Keep role definitions small and composable. Use the individual permission keys as the stable contract rather than building monolithic admin roles.
