Roles & Permissions
Control what team members can do with role-based access
A Role is a collection of permissions that define what team members can do within Fide. Instead of assigning individual permissions to every user, you assign a role that groups the necessary access into a single label.
Fide provides four built-in roles. These are predefined groups of permissions that cover the most common access patterns (see the Role Permission Matrix for a full breakdown):
| Role | Description |
|---|
| Admin | Full administrative access |
| Leader | Can manage projects, goals, and tools. Cannot manage team members or billing. |
| Member | Standard contributor access |
| Viewer | Read-only access |
Teams can also create custom roles scoped to that team.
Permissions control specific actions. They follow a resource.action pattern:
| Permission | Description |
|---|
team.create | Create sub-teams |
team.update | Update team settings, name, and billing |
team.delete | Delete teams |
team.invite | Invite new members |
team.remove_member | Remove members |
| Permission | Description |
|---|
tasks.view | View tasks |
tasks.create | Create tasks |
tasks.update | Update task details and status |
tasks.delete | Delete tasks |
tasks.assign | Assign tasks to others |
| Permission | Description |
|---|
projects.view | View projects |
projects.create | Create projects |
projects.update | Update project details |
projects.delete | Delete projects |
goals.view | View goals |
goals.create | Create goals |
goals.update | Update goals |
goals.delete | Delete goals |
| Permission | Description |
|---|
messages.view | View messages |
messages.send | Send messages |
messages.delete | Delete messages |
| Permission | Description |
|---|
agents.view | View AI agents |
agents.create | Create new AI agents |
agents.edit | Edit AI agents |
agents.delete | Delete AI agents |
| Permission | Description |
|---|
connections.view | View available tool connections |
connections.create | Create platform connections |
connections.update | Update connection settings |
connections.delete | Disconnect platforms |
workflows.view | View workflows |
workflows.create | Create workflows |
workflows.edit | Edit workflows |
workflows.delete | Delete workflows |
| Permission | Admin | Leader | Member | Viewer |
|---|
| Team Management | | | | |
team.create | ✓ | | | |
team.update | ✓ | | | |
team.delete | ✓ | | | |
team.invite | ✓ | | | |
team.remove_member | ✓ | | | |
| Tasks | | | | |
tasks.view | ✓ | ✓ | ✓ | ✓ |
tasks.create | ✓ | ✓ | ✓ | |
tasks.update | ✓ | ✓ | ✓ | |
tasks.delete | ✓ | ✓ | ✓ | |
tasks.assign | ✓ | ✓ | ✓ | |
| Projects | | | | |
projects.view | ✓ | ✓ | ✓ | ✓ |
projects.create | ✓ | ✓ | ✓ | |
projects.update | ✓ | ✓ | ✓ | |
projects.delete | ✓ | ✓ | ✓ | |
| Goals | | | | |
goals.view | ✓ | ✓ | ✓ | ✓ |
goals.create | ✓ | ✓ | ✓ | |
goals.update | ✓ | ✓ | ✓ | |
goals.delete | ✓ | ✓ | ✓ | |
| Messages | | | | |
messages.view | ✓ | ✓ | ✓ | ✓ |
messages.send | ✓ | ✓ | ✓ | |
messages.delete | ✓ | | | |
| Agents | | | | |
agents.view | ✓ | | | |
agents.create | ✓ | | | |
agents.edit | ✓ | | | |
agents.delete | ✓ | | | |
| Connections | | | | |
connections.view | ✓ | ✓ | | ✓ |
connections.create | ✓ | ✓ | | |
connections.update | ✓ | ✓ | | |
connections.delete | ✓ | ✓ | | |
| Workflows | | | | |
workflows.view | ✓ | ✓ | ✓ | ✓ |
workflows.create | ✓ | ✓ | ✓ | |
workflows.edit | ✓ | ✓ | ✓ | |
workflows.delete | ✓ | | | |
Permissions are enforced at the database level using Postgres Row-Level Security. This means:
- Automatic enforcement - Security is built into every query
- No bypass - Even direct database access respects RLS policies
- Team-scoped - Policies check team membership via
has_permission() and is_team_member() functions
Teams can create custom roles with specific permission sets:
- Custom roles are scoped to a single team (
team_id is set)
- Built-in roles are global (
team_id is NULL)
- Team admins can manage custom roles via the
team.update permission