Skip to content
AM

Role permissions

Use Portal > Team > Roles & Entitlements at /team/roles to inspect built-in roles and manage tenant-defined custom roles.

Permission model

Entitlements use <product>:<module>:<action> keys. The UI groups them by product and module, with action columns such as view, create, edit, delete, and export. A denied or unknown entitlement fails closed.

The built-in catalog includes Owner, Admin, Developer, Marketing, Accounting, Fulfillment, and View Only. Built-in and owner roles are locked in the UI and backend.

Create and edit a custom role

  1. Select the role whose permissions should be the starting point.
  2. Enter a custom role name.
  3. Select Add Role (Clone Current).
  4. Edit its name, description, product switches, module switches, or individual actions.

Each entitlement change is persisted immediately through updateRoleEntitlements. Name and description changes use Save Details. The current hook has role writes enabled and calls the live Portal GraphQL mutations.

Reset to Defaults restores the built-in entitlement baseline when the custom role uses a known built-in slug; otherwise it clears the custom matrix. It does not track a mutable clone-source snapshot.

Delete a role

Only custom roles can be deleted. Confirm Delete Role to call the backend. The backend’s role and membership constraints determine whether a role that is still assigned can be removed; reassign affected members before deletion.

GraphQL operations

  • roles and role(id)
  • myEntitlements
  • createRole(input)
  • updateRole(input)
  • updateRoleEntitlements(roleId, entitlements)
  • deleteRole(id)

The current MCP catalog does not expose custom-role lifecycle tools. It exposes inblack_set_member_role for assigning a member’s role.