Skip to content
Surkyl Docs

RBAC and Permissions

RBAC and Permissions

Section titled “RBAC and Permissions”

Matrix 1: Role Levels & Scopes

Section titled “Matrix 1: Role Levels & Scopes”
Role LevelScopeWhat It ControlsExample Use CasesCan See/Manage
App-levelEntire applicationAll tenants, all dataSurkyl employees, support teamEverything across all tenants
Tenant-levelSingle tenantAll workspaces in tenantCompany admins, billing managersAll workspaces/users in their tenant
Workspace-levelSingle workspaceSingle workspace & its contentProject editors, content creatorsOnly their specific workspace

Matrix 2: System Roles (Pre-defined)

Section titled “Matrix 2: System Roles (Pre-defined)”

App-Level System Roles

Section titled “App-Level System Roles”
Role NameScopeDescriptionKey PermissionsTypical User
Super AdminAppFull system accessapp.admin.full, app.users.manage, app.tenants.manageSurkyl founders, CTO
Support AgentAppView-only for supportapp.support.view, tenant.workspaces.viewCustomer support team
Platform EngineerAppManage infrastructureapp.tenants.manage, app.users.viewDevOps team

Tenant-Level System Roles

Section titled “Tenant-Level System Roles”
Role NameScopeDescriptionKey PermissionsTypical User
Tenant OwnerTenantFull tenant controltenant.admin.full, all tenant permissionsCompany founder/CEO
Tenant AdminTenantAdmin without billingtenant.members.manage, tenant.workspaces.view, tenant.settings.manageCompany CTO/admin
Billing ManagerTenantBilling onlytenant.billing.manage, tenant.billing.viewFinance team
Tenant MemberTenantBasic accesstenant.workspaces.view, workspace.viewRegular employees

Workspace-Level System Roles

Section titled “Workspace-Level System Roles”
Role NameScopeDescriptionKey PermissionsTypical User
Workspace OwnerWorkspaceFull workspace controlworkspace.admin.full, all workspace permissionsProject lead
Workspace EditorWorkspaceEdit all contentproject.*, page.* (create/read/update/delete)Content team
Workspace ViewerWorkspaceRead-only accessworkspace.view, project.read, page.readStakeholders, clients
Content CreatorWorkspaceCreate & edit own contentproject.create, page.create, page.update (own)Freelancers, contractors
PublisherWorkspaceCan publish to productionproject.publish, page.publishQA team, senior editors

Matrix 3: Permission Structure

Section titled “Matrix 3: Permission Structure”

App-Level Permissions

Section titled “App-Level Permissions”
Permission CodeNameResourceActionDescriptionUsed By Roles
app.admin.fullFull App AdminALLadminComplete system accessSuper Admin
app.users.manageManage All UsersusermanageCRUD any userSuper Admin
app.tenants.manageManage All TenantstenantmanageCRUD any tenantSuper Admin, Platform Engineer
app.tenants.viewView All TenantstenantreadView any tenantSuper Admin, Support Agent
app.support.viewSupport ViewALLviewView for supportSupport Agent
app.analytics.viewView AnalyticsanalyticsreadGlobal analyticsSuper Admin, Support Agent

Tenant-Level Permissions

Section titled “Tenant-Level Permissions”
Permission CodeNameResourceActionDescriptionUsed By Roles
tenant.admin.fullTenant AdminALLadminFull tenant accessTenant Owner
tenant.settings.manageManage SettingstenantmanageEdit tenant settingsTenant Owner, Tenant Admin
tenant.members.inviteInvite MembersmemberinviteInvite users to tenantTenant Owner, Tenant Admin
tenant.members.manageManage MembersmembermanageEdit member rolesTenant Owner, Tenant Admin
tenant.members.viewView MembersmemberreadView team membersAll tenant roles
tenant.workspaces.createCreate WorkspacesworkspacecreateCreate new workspacesTenant Owner, Tenant Admin
tenant.workspaces.viewView All WorkspacesworkspacereadView all workspacesTenant Owner, Tenant Admin, Tenant Member
tenant.workspaces.manageManage All WorkspacesworkspacemanageEdit/delete any workspaceTenant Owner, Tenant Admin
tenant.billing.viewView BillingbillingreadView billing infoTenant Owner, Billing Manager
tenant.billing.manageManage BillingbillingmanageUpdate payment methodsTenant Owner, Billing Manager
tenant.roles.manageManage Custom RolesrolemanageCreate/edit custom rolesTenant Owner, Tenant Admin

Workspace-Level Permissions

Section titled “Workspace-Level Permissions”
Permission CodeNameResourceActionDescriptionUsed By Roles
workspace.admin.fullWorkspace AdminALLadminFull workspace accessWorkspace Owner
workspace.settings.manageManage SettingsworkspacemanageEdit workspace settingsWorkspace Owner
workspace.viewView WorkspaceworkspacereadView workspaceAll workspace roles
workspace.members.inviteInvite MembersmemberinviteInvite to workspaceWorkspace Owner, Workspace Editor
workspace.members.manageManage MembersmembermanageEdit member rolesWorkspace Owner
project.createCreate ProjectsprojectcreateCreate new projectsWorkspace Owner, Editor, Content Creator
project.readView ProjectsprojectreadView projectsAll workspace roles
project.updateEdit ProjectsprojectupdateEdit project detailsWorkspace Owner, Editor, Content Creator
project.deleteDelete ProjectsprojectdeleteDelete projectsWorkspace Owner, Editor
project.publishPublish ProjectsprojectpublishPublish to productionWorkspace Owner, Publisher
page.createCreate PagespagecreateCreate new pagesWorkspace Owner, Editor, Content Creator
page.readView PagespagereadView pagesAll workspace roles
page.updateEdit PagespageupdateEdit page contentWorkspace Owner, Editor, Content Creator
page.deleteDelete PagespagedeleteDelete pagesWorkspace Owner, Editor
page.publishPublish PagespagepublishPublish pagesWorkspace Owner, Publisher

Matrix 4: User-Defined Role Examples

Section titled “Matrix 4: User-Defined Role Examples”

Example 1: Marketing Agency Roles

Section titled “Example 1: Marketing Agency Roles”
Custom Role NameScopePermissionsUse Case
Client ManagerTenanttenant.members.invite, tenant.workspaces.view, workspace.viewAgency staff who manage clients
DesignerWorkspacepage.create, page.read, page.update, project.readCreate designs, can’t publish
CopywriterWorkspacepage.create, page.read, page.update (text only)Write content
Account ManagerWorkspaceworkspace.view, project.read, page.read, workspace.members.inviteClient-facing, read-only + invite
Production LeadWorkspaceAll workspace permissions except billing.*Manages production team

Example 2: SaaS Company Roles

Section titled “Example 2: SaaS Company Roles”
Custom Role NameScopePermissionsUse Case
Engineering LeadTenanttenant.workspaces.create, tenant.workspaces.view, workspace.admin.fullCreate workspaces for projects
Product ManagerWorkspaceproject.*, page.read, workspace.members.inviteManage product workspace
QA TesterWorkspaceproject.read, page.read, project.publish, page.publishTest and approve releases
Documentation WriterWorkspacepage.create, page.read, page.update, page.publishTechnical docs
External ContractorWorkspaceproject.create, project.read, project.update, page.create, page.read, page.updateTemporary access, no delete

Example 3: Education Platform Roles

Section titled “Example 3: Education Platform Roles”
Custom Role NameScopePermissionsUse Case
Course InstructorWorkspaceworkspace.admin.full (within their course workspace)Manages their course
Teaching AssistantWorkspacepage.create, page.read, page.update, project.readHelps with course content
StudentWorkspaceworkspace.view, page.readView course materials
Guest LecturerWorkspacepage.create, page.read (limited time)Create guest content

Matrix 5: Role → Permission Mapping

Section titled “Matrix 5: Role → Permission Mapping”

Super Admin (App-Level)

Section titled “Super Admin (App-Level)”
Permission CategoryPermissions Granted
Appapp.admin.full, app.users.manage, app.tenants.manage, app.support.view, app.analytics.view
TenantAll tenant permissions (can access any tenant)
WorkspaceAll workspace permissions (can access any workspace)
Total Permissions~50+ permissions

Tenant Owner (Tenant-Level)

Section titled “Tenant Owner (Tenant-Level)”
Permission CategoryPermissions Granted
AppNone
Tenanttenant.admin.full, tenant.settings.manage, tenant.members.manage, tenant.members.invite, tenant.workspaces.create, tenant.workspaces.view, tenant.workspaces.manage, tenant.billing.view, tenant.billing.manage, tenant.roles.manage
WorkspaceCan access all workspaces in their tenant (inherited)
Total Permissions~15-20 permissions

Tenant Admin (Tenant-Level)

Section titled “Tenant Admin (Tenant-Level)”
Permission CategoryPermissions Granted
AppNone
Tenanttenant.settings.manage, tenant.members.manage, tenant.members.invite, tenant.members.view, tenant.workspaces.create, tenant.workspaces.view, tenant.workspaces.manage, tenant.roles.manage
WorkspaceCan access all workspaces in their tenant (inherited)
Total Permissions~10-12 permissions

Workspace Owner (Workspace-Level)

Section titled “Workspace Owner (Workspace-Level)”
Permission CategoryPermissions Granted
AppNone
TenantNone
Workspaceworkspace.admin.full, workspace.settings.manage, workspace.view, workspace.members.invite, workspace.members.manage, project.*, page.* (all CRUD + publish)
Total Permissions~12-15 permissions

Workspace Editor (Workspace-Level)

Section titled “Workspace Editor (Workspace-Level)”
Permission CategoryPermissions Granted
AppNone
TenantNone
Workspaceworkspace.view, project.create, project.read, project.update, project.delete, page.create, page.read, page.update, page.delete
Total Permissions~8-10 permissions

Workspace Viewer (Workspace-Level)

Section titled “Workspace Viewer (Workspace-Level)”
Permission CategoryPermissions Granted
AppNone
TenantNone
Workspaceworkspace.view, project.read, page.read
Total Permissions3 permissions

Matrix 6: Permission Inheritance & Resolution

Section titled “Matrix 6: Permission Inheritance & Resolution”
User HasChecking Permission OnResultWhy
App-level Super AdminAny tenant✅ GRANTEDApp-level roles can access anything
App-level Support AgentWorkspace in Tenant A✅ GRANTEDHas app.support.view which allows viewing
Tenant-level Tenant OwnerWorkspace in their tenant✅ GRANTEDTenant admins inherit workspace access
Tenant-level Tenant OwnerWorkspace in different tenant❌ DENIEDTenant roles are scoped to their tenant
Workspace-level Workspace EditorProject in their workspace✅ GRANTEDHas project.update permission
Workspace-level Workspace EditorProject in different workspace❌ DENIEDWorkspace roles are scoped to their workspace
Workspace-level Workspace ViewerPublish a page❌ DENIEDViewer role doesn’t have page.publish
User with permission override DENYEven with role granting permission❌ DENIEDOverrides take precedence over roles
User with permission override ALLOWWithout any role✅ GRANTEDOverrides grant direct access

Matrix 7: Real-World User Journey Examples

Section titled “Matrix 7: Real-World User Journey Examples”

Example 1: Marketing Agency - “Digital Spark Agency”

Section titled “Example 1: Marketing Agency - “Digital Spark Agency””
UserEmailApp RoleTenant RoleWorkspace RolesWhat They Can Do
Sarah (Agency Owner)[email protected]NoneTenant OwnerOwner on all workspacesEverything in Digital Spark tenant
Mike (Account Manager)[email protected]NoneTenant AdminNone (can access all via tenant role)Manage team, view all client workspaces
Lisa (Designer)[email protected]NoneTenant MemberEditor on “Nike Campaign” workspaceDesign pages for Nike only
John (Copywriter)[email protected]NoneTenant MemberEditor on “Nike Campaign” & “Adidas Campaign”Write content for both clients
Client: Nike CMOcmothenike.comNoneNoneViewer on “Nike Campaign”View Nike workspace only (read-only)

Example 2: SaaS Startup - “BuildFast Inc”

Section titled “Example 2: SaaS Startup - “BuildFast Inc””
UserEmailApp RoleTenant RoleWorkspace RolesWhat They Can Do
Emma (CEO)[email protected]NoneTenant OwnerOwner on allEverything in BuildFast tenant
Alex (CTO)[email protected]NoneTenant AdminOwner on “Engineering” workspaceManage engineering workspace fully
Priya (PM)[email protected]NoneTenant MemberEditor on “Product” workspaceManage product specs
Dan (Engineer)[email protected]NoneTenant MemberEditor on “Engineering”, Viewer on “Product”Code in Engineering, view Product roadmap
Amy (Contractor)[email protected]NoneNoneContent Creator on “Marketing”Create marketing content only

Example 3: Surkyl Internal - Platform Team

Section titled “Example 3: Surkyl Internal - Platform Team”
UserEmailApp RoleTenant RoleWorkspace RolesWhat They Can Do
You (VivinMeth)[email protected]Super AdminN/AN/AEverything everywhere
Support Agent[email protected]Support AgentN/AN/AView any tenant/workspace for support
DevOps Engineer[email protected]Platform EngineerN/AN/AManage infrastructure, create tenants

Matrix 8: Permission Check Decision Tree

Section titled “Matrix 8: Permission Check Decision Tree”
StepQuestionIf YESIf NO
1Is there a permission override for this user+resource?Use override (ALLOW/DENY)Continue to step 2
2Does user have app-level role with this permission?✅ GRANTContinue to step 3
3Is this a tenant-scoped resource?Continue to step 4Continue to step 5
4Does user have tenant-level role with this permission in this tenant?✅ GRANTContinue to step 5
5Is this a workspace-scoped resource?Continue to step 6❌ DENY
6Does user have workspace-level role with this permission in this workspace?✅ GRANT❌ DENY

Matrix 9: Custom Role Creation Scenarios

Section titled “Matrix 9: Custom Role Creation Scenarios”

Scenario: Agency wants “Client Reviewer” role

Section titled “Scenario: Agency wants “Client Reviewer” role”
StepActionDetails
1Choose scopeWorkspace-level (client-specific)
2Name role”Client Reviewer”
3Select permissionsworkspace.view, project.read, page.read, page.update (add comments)
4Save roleRole ID created in tenant
5Assign to usersAssign client contacts to their workspace with this role

Scenario: SaaS wants “Limited Engineer” role

Section titled “Scenario: SaaS wants “Limited Engineer” role”
StepActionDetails
1Choose scopeWorkspace-level
2Name role”Junior Developer”
3Select permissionsproject.read, project.update, page.read, page.update (no delete, no publish)
4Save roleRole ID created
5Assign to usersAssign junior developers
6Set expirationOptional: Set 3-month probation period

Matrix 10: Permission Code Naming Convention

Section titled “Matrix 10: Permission Code Naming Convention”
PatternExampleBreakdown
{scope}.{resource}.{action}workspace.project.createWorkspace scope, project resource, create action
{scope}.admin.fulltenant.admin.fullFull admin at tenant scope
{scope}.{resource}.managetenant.members.manageMultiple actions (CRUD) on resource

Naming Examples

Section titled “Naming Examples”
Permission CodeScopeResourceActionMeaning
app.admin.fullapp(all)adminComplete app access
tenant.settings.managetenantsettingsmanageEdit tenant settings
workspace.viewworkspaceworkspacereadView workspace
project.createworkspaceprojectcreateCreate projects
page.publishworkspacepagepublishPublish pages to production
tenant.billing.viewtenantbillingreadView billing information

Summary: How It All Connects

Section titled “Summary: How It All Connects”
USER
  
  ├─[has]→ APP ROLE(s)
  │         └─[contains]→ APP-LEVEL PERMISSIONS
  │                        (access to all tenants)
  
  ├─[has]→ TENANT ROLE(s) in Tenant A, B, C...
  │         └─[contains]→ TENANT-LEVEL PERMISSIONS
  │                        (access to all workspaces in that tenant)
  
  ├─[has]→ WORKSPACE ROLE(s) in Workspace X, Y, Z...
  │         └─[contains]→ WORKSPACE-LEVEL PERMISSIONS
  │                        (access to that specific workspace)
  
  └─[has]→ PERMISSION OVERRIDES (optional)
            └─[grants/denies]→ SPECIFIC PERMISSIONS on SPECIFIC RESOURCES
                                (highest priority)


PERMISSION CHECK FLOW:
1. Check permission overrides first (if exists, use that)
2. Check app-level roles (if granted, allow)
3. Check tenant-level roles (if granted in this tenant, allow)
4. Check workspace-level roles (if granted in this workspace, allow)
5. Otherwise, deny

This system gives you maximum flexibility while remaining performant and easy to understand. Users can have multiple roles at different scopes, and custom roles can be created at any scope level! 🎯