Organization Roles
Organization roles control what members can do within an organization. They are scoped to a single organization and separate from application-level roles.
Built-in Roles
The dashboard ships with two role presets:
| Role | Description |
|---|---|
| Admin | Can update org settings, invite/remove members, change member roles, and delete the organization. |
| Member | Can read the org and its members; cannot change settings or manage members. |
Today, role strings are free-form (1–64 characters) — the dashboard exposes admin and member, but the backend accepts any string. A fine-grained permission model (org:manage, org:members:write, …) and a requireOrgPermission() middleware are tracked as a follow-up.
Last-admin Guard
The backend enforces that an organization always has at least one admin. Attempts to demote or remove the only admin return 409 Conflict, and the dashboard surfaces this inline so the user can pick a different action.
Role Assignment
- When a user creates an organization, they're inserted as
adminin the same database batch. - When a user accepts an invitation, they're assigned the role from the invitation (defaults to
member). - Admins can change a member's role at any time from the Members tab.
On the Roadmap
- An
organization_rolestable with per-app role definitions - An
org:*permission catalog and arequireOrgPermission()middleware - A role editor in the dashboard