The three roles
Every organization member has one of three roles:Owner
Full control over the organization. Can manage all settings, members, projects, billing, and can delete the organization. Typically the person who created the organization.
Admin
Can manage members (invite, update roles, remove), create and delete projects, and access organization settings. Cannot delete the organization or transfer ownership.
Member
Can view the organization and its projects. Limited to read and contribute actions within projects. Cannot manage members or organization settings.
Permissions matrix
The following table shows what each role can do at the organization level.| Permission | Owner | Admin | Member |
|---|---|---|---|
| View organization | ✓ | ✓ | ✓ |
| View member list | ✓ | ✓ | ✓ |
| Update organization name | ✓ | ✓ | — |
| Access organization settings | ✓ | ✓ | — |
| Invite members | ✓ | ✓ | — |
| Update member roles | ✓ | ✓ | — |
| Remove members | ✓ | ✓ | — |
| Create projects | ✓ | ✓ | — |
| Delete projects | ✓ | ✓ | — |
| Manage billing and subscriptions | ✓ | ✓ | — |
| Manage organization wallet | ✓ | ✓ | — |
| Delete organization | ✓ | — | — |
Admins cannot promote other users to Owner. Only an existing Owner can transfer or assign the Owner role.
Project-level permissions
Roles also apply within projects. When a member joins an organization, their organization role determines their default access across all projects. A project-specific role can override this default for individual projects.| Permission | Owner/Admin | Member |
|---|---|---|
| View project | ✓ | ✓ |
| Create and manage API keys | ✓ | — |
| Add LLM credentials | ✓ | — |
| Manage project members | ✓ | — |
| Create and edit notebooks | ✓ | ✓ |
| Access AI Studio tools | ✓ | ✓ |
| View project analytics | ✓ | ✓ |
| Delete project | ✓ | — |
Access types
Beyond roles, TrayLinx tracks two access types for organization members:- Organization Member (
ORGANIZATION_MEMBER) — Has organization-wide membership. Automatically has access to all projects within the organization, with their role determining what they can do in each. - Project-Only Member (
PROJECT_ONLY_MEMBER) — Has no organization-wide membership. Access is limited to the specific projects they were explicitly added to.
Denied project access
Owners and Admins can explicitly deny a member access to a specific project, even if that member has organization-wide membership. A denied member’s project role is set toDENIED and they cannot view or interact with that project.
To restore access, click Restore on the denied project in the member management dialog.
Permission guards in the UI
TrayLinx enforces permissions at two layers:-
Route guards — The
OrganizationPermissionGuardandOrganizationSettingsGuardcomponents check permissions before rendering protected pages. If a user navigates to a settings URL without sufficient permissions, they are redirected to the organization overview page. -
Element-level guards — Buttons and controls in the UI are conditionally rendered based on the current user’s permissions. For example, the Create Project button is only shown when
canCreateProjectistrue, and the Add Member button is only active whencanAddUseristrue.
meta.can object returned by the API and cached locally. They are automatically refreshed when a 403 response is received or when a role-change event is dispatched.
Changing a member’s role
Open Organization Settings
Navigate to the organization, then click the Settings icon in the header. You must be an Owner or Admin.
Open the member's dialog
Click the row of the member whose role you want to change to open the Member Management dialog.
Edit the organization role
In the Organization Membership section, click Edit Role. A dropdown appears with the available roles: Owner, Admin, Member, and Viewer.
Why can't I see the settings page?
Why can't I see the settings page?
Only Owners and Admins can access organization settings. If you are a Member or a project-only member, the Settings button is not shown and accessing the settings URL directly will redirect you to the organization overview.
Can Admins assign the Owner role?
Can Admins assign the Owner role?
No. Admins can assign the Member and Admin roles, but cannot promote users to Owner. This restriction is enforced by the API and returns an
INSUFFICIENT_PERMISSIONS error code if attempted.What happens to a member's project access when their org role changes?
What happens to a member's project access when their org role changes?
For organization members, the new role applies across all projects immediately. Any project-specific role overrides remain in place — those are not affected by a change to the organization role.
What is the Viewer role?
What is the Viewer role?
The Viewer role appears in the project access management table within the Member Management dialog. It grants read-only access to a specific project. Viewers can see project content but cannot create or modify resources.