Members & Roles
Invite members, assign roles, and configure granular permissions with RBAC.
Members & Roles
ProxifAI uses role-based access control (RBAC) to manage what members can see and do. Every member has a role at the organization level, and optionally different roles at the team or project level.
Inviting Members
Invite members from Settings > Members:
Send Invitations
Enter one or more email addresses and select a role. Invitations are sent via email with a link to join.
Pending Invitations
Pending invitations are listed with their status. You can resend or revoke invitations before they are accepted.
Member Joins
Once the invitation is accepted, the member appears in the active members list with their assigned role.
Default Roles
Three built-in workspace roles cover the most common access patterns. Defined in models.go as WorkspaceRoleOwner, WorkspaceRoleAdmin, WorkspaceRoleMember:
| Role | Capabilities |
|---|---|
| Owner | Full access to everything, including all 35 permissions plus admin.access. Can delete the organization, manage billing, and transfer ownership. |
| Admin | Same as Owner except no admin.access (cannot reach super-admin endpoints under /api/v1/admin/* or delete the org). |
| Member | Day-to-day contributor. Can create issues, write code, run workflows, dispatch agents. Cannot delete projects, manage integrations, edit workflows, or change settings. |
Read-only access is achieved by creating a custom role containing only *.read permissions — there’s no built-in “Viewer” role at the org level. Per-project access has its own three-value role enum (viewer / member / lead); see Authorization → Project-Level Roles.
Default workspace roles cannot be modified or deleted; they’re the floor every org gets seeded with.
Custom Roles
Create custom roles with granular permissions from Settings > Roles:
- Name and description — identify the role’s purpose
- Permission groups — select from categories: Projects, Issues, Code, Documents, AI, Workflows, Members, Settings
- Per-action permissions — within each group, toggle create, read, update, and delete independently
Example custom roles:
| Custom Role | Typical Use |
|---|---|
| Triage Lead | Can update issue priority, status, and assignee — but cannot edit code or merge PRs |
| CI Operator | Can trigger and manage pipelines — but cannot modify pipeline definitions |
| AI Reviewer | Can use AI chat and review agent outputs — but cannot approve PRs or deploy |
Custom roles are an OSS feature — no plan gating. See Authorization for the complete list of 35 granular permissions and how grant/deny overrides combine with role assignments.
Team Membership
Members can belong to one or more teams. Team membership provides:
- Scoped views — filter issues, PRs, and workflows to the team’s projects
- Team-level roles — override organization-level roles within the team’s scope
- Notifications — team members receive notifications for team-scoped activity
- Mention groups —
@team-namementions notify all team members
Managing Members
From the members list, administrators can:
- Change roles — reassign a member to a different organization or team role
- Remove members — revoke access immediately; the member’s authored content is preserved
- Suspend members — temporarily disable access without removing the member
- Transfer ownership — transfer the owner role to another admin (requires confirmation)
- View activity — see a member’s recent actions across the organization
Use the Activity tab on a member’s profile to audit recent actions — useful for security reviews and access audits.