Skip to content

Documentation Index

Fetch the complete documentation index at: https://makakoo-traylinx-35.mintlify.app/llms.txt Use this file to discover all available pages before exploring further.

Role-Based Access Control

Understand the Owner, Admin, and Member roles and their permissions in TrayLinx.

TrayLinx uses role-based access control (RBAC) to determine what each user can do within an organization and its projects. Roles are assigned at the organization level and can be overridden at the project level.

The three roles

Every organization member has one of three roles:

Full control over the organization. Can manage all settings, members, projects, billing, and can delete the organization. Typically the person who created the organization.

Can manage members (invite, update roles, remove), create and delete projects, and access organization settings. Cannot delete the organization or transfer ownership.

Can view the organization and its projects. Limited to read and contribute actions within projects. Cannot manage members or organization settings.

Permissions matrix

The following table shows what each role can do at the organization level.

Permission Owner Admin Member
View organization
View member list
Update organization name
Access organization settings
Invite members
Update member roles
Remove members
Create projects
Delete projects
Manage billing and subscriptions
Manage organization wallet
Delete organization

Admins cannot promote other users to Owner. Only an existing Owner can transfer or assign the Owner role.

Project-level permissions

Roles also apply within projects. When a member joins an organization, their organization role determines their default access across all projects. A project-specific role can override this default for individual projects.

Permission Owner/Admin Member
View project
Create and manage API keys
Add LLM credentials
Manage project members
Create and edit notebooks
Access AI Studio tools
View project analytics
Delete project

Access types

Beyond roles, TrayLinx tracks two access types for organization members:

  • Organization Member (ORGANIZATION_MEMBER) — Has organization-wide membership. Automatically has access to all projects within the organization, with their role determining what they can do in each.
  • Project-Only Member (PROJECT_ONLY_MEMBER) — Has no organization-wide membership. Access is limited to the specific projects they were explicitly added to.

You can convert an organization member to a project-only member through the Member Management dialog. This removes their organization membership and grants them direct access to the projects you specify.

Denied project access

Owners and Admins can explicitly deny a member access to a specific project, even if that member has organization-wide membership. A denied member's project role is set to DENIED and they cannot view or interact with that project.

To restore access, click Restore on the denied project in the member management dialog.

Permission guards in the UI

TrayLinx enforces permissions at two layers:

  1. Route guards — The OrganizationPermissionGuard and OrganizationSettingsGuard components check permissions before rendering protected pages. If a user navigates to a settings URL without sufficient permissions, they are redirected to the organization overview page.

  2. Element-level guards — Buttons and controls in the UI are conditionally rendered based on the current user's permissions. For example, the Create Project button is only shown when canCreateProject is true, and the Add Member button is only active when canAddUser is true.

Permissions are derived from the meta.can object returned by the API and cached locally. They are automatically refreshed when a 403 response is received or when a role-change event is dispatched.

Changing a member's role

Navigate to the organization, then click the Settings icon in the header. You must be an Owner or Admin.

Select the Members tab in the settings page.

Click the row of the member whose role you want to change to open the Member Management dialog.

In the Organization Membership section, click Edit Role. A dropdown appears with the available roles: Owner, Admin, Member, and Viewer.

Choose the new role and click Save. The change takes effect immediately and the page refreshes the member list.

You cannot change your own role. If you need to transfer ownership, ask another Owner to update your role, or contact TrayLinx support.

Only Owners and Admins can access organization settings. If you are a Member or a project-only member, the Settings button is not shown and accessing the settings URL directly will redirect you to the organization overview.

No. Admins can assign the Member and Admin roles, but cannot promote users to Owner. This restriction is enforced by the API and returns an INSUFFICIENT_PERMISSIONS error code if attempted.

For organization members, the new role applies across all projects immediately. Any project-specific role overrides remain in place — those are not affected by a change to the organization role.

The Viewer role appears in the project access management table within the Member Management dialog. It grants read-only access to a specific project. Viewers can see project content but cannot create or modify resources.

Built with Mintlify.