Permissions Matrix
This matrix defines the access levels for READ Members, WRITE Members, and Project Admins across the API.
Core Rules
- READ Members: Can view/list resources and download files; cannot create, modify, or delete.
- WRITE Members: Can create resources within a project (e.g., deployments), upload/delete files, run tasks; can update/delete Devices only if they are the owner (unless admin).
- Project Admins: Full control within the project, including memberships and modules. Cannot create or delete projects (staff only).
- ECSTaskDefinitions: Read-only for authenticated users.
- Staff: May create and delete projects; otherwise follow admin-like capabilities.
Projects
| Endpoint | READ Member | WRITE Member | Project Admin |
|---|---|---|---|
| GET /projects | ✅ List | ✅ List | ✅ List |
| GET /projects/{id} | ✅ View | ✅ View | ✅ View |
| POST /projects | ❌ No | ❌ No | ❌ No (Staff only) |
| PUT /projects/{id} | ❌ No | ❌ No | ✅ Yes |
| PATCH /projects/{id} | ❌ No | ❌ No | ✅ Yes |
| DELETE /projects/{id} | ❌ No | ❌ No | ❌ No (Staff only) |
| GET /projects/{id}/members | ✅ List | ✅ List | ✅ List |
| POST /projects/{id}/invite | ❌ No | ❌ No | ✅ Yes |
| GET /projects/{id}/modules | ✅ List | ✅ List | ✅ List |
| PUT /projects/{id}/modules/{module_id} | ❌ No | ❌ No | ✅ Yes |
| DELETE /projects/{id}/modules/{module_id} | ❌ No | ❌ No | ✅ Yes |
| GET /projects/{id}/deployments | ✅ List | ✅ List | ✅ List |
| GET /projects/{id}/files | ✅ List | ✅ List | ✅ List |
| GET /projects/{id}/download | ✅ Yes | ✅ Yes | ✅ Yes |
| POST /projects/{id}/download-multiple | ✅ Yes | ✅ Yes | ✅ Yes |
| GET/POST /projects/{id}/generate_presigned_url_for_download | ✅ Yes | ✅ Yes | ✅ Yes |
| POST /projects/{id}/generate_presigned_url_for_upload | ❌ No | ✅ Yes | ✅ Yes |
| POST /projects/{id}/delete-objects | ❌ No | ✅ Yes | ✅ Yes |
| GET/POST /projects/{id}/lifecycle-policy | ✅ View | ✅ View | ✅ Modify |
| POST /projects/{id}/object_exists | ✅ Yes | ✅ Yes | ✅ Yes |
| GET /projects/{id}/user_permissions | ✅ View | ✅ View | ✅ View |
Deployments
| Endpoint | READ Member | WRITE Member | Project Admin |
|---|---|---|---|
| GET /deployments/{id} | ✅ View | ✅ View | ✅ View |
| POST /projects/{id}/deployments | ❌ No | ✅ Yes | ✅ Yes |
| PUT /deployments/{id} | ❌ No | ✅ Yes | ✅ Yes |
| PATCH /deployments/{id} | ❌ No | ✅ Yes | ✅ Yes |
| DELETE /deployments/{id} | ❌ No | ✅ Yes | ✅ Yes |
| GET /deployments/{id}/devices | ✅ List | ✅ List | ✅ List |
| PUT /deployments/{id}/devices/{device_id} | ❌ No | ❌ No | ✅ Yes |
| DELETE /deployments/{id}/devices/{device_id} | ❌ No | ❌ No | ✅ Yes |
| GET /deployments/{id}/tasks | ✅ List | ✅ List | ✅ List |
| POST /deployments/{id}/run-task | ❌ No | ✅ Yes | ✅ Yes |
| GET /deployments/{id}/files | ✅ List | ✅ List | ✅ List |
| GET /deployments/{id}/download | ✅ Yes | ✅ Yes | ✅ Yes |
| POST /deployments/{id}/download-multiple | ✅ Yes | ✅ Yes | ✅ Yes |
| GET/POST /deployments/{id}/generate_presigned_url_for_download | ✅ Yes | ✅ Yes | ✅ Yes |
| POST /deployments/{id}/generate_presigned_url_for_upload | ❌ No | ✅ Yes | ✅ Yes |
| POST /deployments/{id}/delete-objects | ❌ No | ✅ Yes | ✅ Yes |
| GET/POST /deployments/{id}/lifecycle-policy | ✅ View | ✅ View | ✅ Modify |
| POST /deployments/{id}/object_exists | ✅ Yes | ✅ Yes | ✅ Yes |
Devices
| Endpoint | READ Member | WRITE Member | Project Admin |
|---|---|---|---|
| GET /devices | ✅ List | ✅ List | ✅ List |
| GET /devices/{id} | ✅ View | ✅ View | ✅ View |
| POST /devices | ❌ No | ✅ Yes | ✅ Yes |
| PUT /devices/{id} | ❌ No | ✅ Yes (if owner) | ✅ Yes |
| PATCH /devices/{id} | ❌ No | ✅ Yes (if owner) | ✅ Yes |
| DELETE /devices/{id} | ❌ No | ✅ Yes (if owner) | ✅ Yes |
Note: Linking a device to a deployment is restricted to project admins (see Deployments table).
Device Types
| Endpoint | READ Member | WRITE Member | Project Admin |
|---|---|---|---|
| GET /device-types | ✅ List | ✅ List | ✅ List |
| GET /device-types/{id} | ✅ View | ✅ View | ✅ View |
ECSTaskDefinitions (Modules)
| Endpoint | READ Member | WRITE Member | Project Admin |
|---|---|---|---|
| GET /tasks (list) | ✅ List | ✅ List | ✅ List |
| GET /tasks/{id} | ✅ View | ✅ View | ✅ View |
| POST/PUT/PATCH/DELETE /tasks | ❌ No | ❌ No | ❌ No |
Note: Attaching/detaching modules to a project is handled via project module endpoints (see Projects table).
Project Membership
| Endpoint | READ Member | WRITE Member | Project Admin |
|---|---|---|---|
| GET /projects/{id}/members | ✅ List | ✅ List | ✅ List |
| POST /projects/{id}/members/invite | ❌ No | ❌ No | ✅ Yes |
| GET /projectmemberships | ✅ List | ✅ List | ✅ List |
| POST /projectmemberships | ❌ No | ❌ No | ✅ Yes |
| GET /projectmemberships/{id} | ✅ View | ✅ View | ✅ View |
| PUT /projectmemberships/{id} | ❌ No | ❌ No | ✅ Yes |
| PATCH /projectmemberships/{id} | ❌ No | ❌ No | ✅ Yes |
| DELETE /projectmemberships/{id} | ❌ No | ❌ No | ✅ Yes |
Task Runs
| Endpoint | READ Member | WRITE Member | Project Admin |
|---|---|---|---|
| GET /taskruns | ✅ List | ✅ List | ✅ List |
| GET /taskruns/{id} | ✅ View | ✅ View | ✅ View |
Users
| Endpoint | READ Member | WRITE Member | Project Admin |
|---|---|---|---|
| GET /users | ✅ View (scoped to shared projects) | ✅ View (scoped to shared projects) | ✅ View (all) |
Notes: - Visibility for users is project-scoped for non-admins; staff and project admins see all users. - “Staff only” indicates capabilities not granted to project roles.