Roles And Permissions
How to reason about WyrdOS workspace access and resource visibility
Use workspace access as the boundary for normal product use. Use API key permissions as the boundary for scripts and agents.
Workspace Access
WyrdOS supports personal and organisation-level workspaces. Organisation workspaces should have named owners who are responsible for:
- Inviting and removing members.
- Deciding which work belongs in the workspace.
- Reviewing API keys and integrations.
- Handling enterprise requirements such as SSO, admin controls, and compliance review.
Some API resources expose sharing metadata such as sharedRole or orgAccess. Treat those fields as visibility signals for the authenticated context, not as a replacement for reviewing membership and key scope.
Least-Privilege Pattern
| Actor | Recommended access |
|---|---|
| Individual contributor | App access to the workspace areas they use. |
| Workspace admin | App access plus responsibility for membership, API keys, and rollout decisions. |
| Read-only script | API key with read permission only. |
| Import or sync job | API key with read and write permissions, limited to the deployment that needs it. |
| Cleanup job | API key with delete permission only when deletion is the expected operation. |
| External agent | Prefer read access and evidence proposals; avoid direct accepted evidence writes unless explicitly approved. |
Review Checklist
Before adding a user, script, or agent:
- Confirm the workspace it should use.
- Confirm whether it needs read, write, or delete access.
- Confirm who owns the key or integration.
- Confirm how access will be revoked.
- Confirm whether output can include sensitive workspace data.
If the answer depends on an enterprise identity provider or custom role model, route the request through Enterprise Handoff.
© 2026 WyrdOS
All rights reserved.
All rights reserved.