Skip to main content

Permissions

Permissions in Typograph are resource-scoped. Every action checks the role you hold on the specific resource you're touching — team, project, or template — not a single global role per user.

How Permissions Are Granted

  • Joining an organization gives you an organization role (owner, admin, member). This controls organization-wide administration only.
  • Being invited to a team, project, or template gives you a resource role (owner, editor, commenter, viewer) on that resource. It inherits to children of that resource — e.g. an editor on a project can edit templates in that project.

Permission Model

At a glance:

CapabilityOwnerEditorCommenterViewer
View contents
Comment
Edit content
Invite others
Change roles
Delete / move to trash

(Exact capabilities are maintained by the Identity Service and may expand over time. The Portal always reflects live configuration.)

Organization-Only Capabilities

These aren't controlled by resource roles — only by organization role:

CapabilityOwnerAdminMember
View org members
Invite org members
Manage OAuth apps
Manage webhooks
Change subscription
Delete organization

Sharing a Resource

  1. Open the team, project, or template.
  2. Click Invite.
  3. Enter email, pick a role.
  4. The invitee receives an invite — once accepted, the resource shows up under Shared with me.

An invite to a team gives access to everything in that team. An invite to a specific project or template limits access to just that scope.

Revoking Access

Open the resource's Share dialog and remove the user, or change their role. Removal is immediate — their next request fails with a 403.

API Parity

The same permission checks apply over the REST API. Token scopes (file:read, file:write, file:delete) gate the categories of operations, and resource-role checks gate the specific resources the token can touch. See API → Token Types and API → Scopes.