Appaloft Docs

Cloud permissions

Appaloft Cloud organization permissions, assignable roles, and plan availability.

Cloud

Cloud Permissions

Appaloft Cloud organization permissions are enforced by the backend operation guard. Member pages, invite dialogs, and dropdowns only show the available choices; the actual allow or deny decision comes from Cloud authorization policy.

Plan Availability

PlanAssignable organization permissionsNotes
Freeowner, developerKeeps the minimum team model. Invited members default to developer.
Basicowner, developerSame as Free for core collaboration. Fine-grained permissions are not unlocked.
Teamowner, admin, developer, billing, viewerUnlocks Basic RBAC so governance, delivery, billing visibility, and read-only access can be separated.
Businessowner, admin, developer, billing, viewerInherits Team's Basic RBAC.
Enterpriseowner, admin, developer, billing, viewerInherits Basic RBAC. Custom roles, project-level roles, SSO/SCIM, and custom policy controls remain future Enterprise scope.

Organization Permission Model

PermissionBest forWhat it can do
ownerFounders and final organization ownersFull organization capability, including organization deletion, ownership transfer, member invites, role changes, resources, and deployments.
adminTeam leads and platform administratorsManages non-owner members and most product operations; cannot transfer ownership, delete the organization, or change/remove owners.
developerDevelopers, operators, and delivery engineersCreates and manages projects, resources, deployments, and runtime actions; cannot manage organization members or billing settings.
billingFinance, procurement, and FinOpsReads projects, resources, and billing-adjacent information; cannot deploy, mutate resources, or govern members.
viewerAuditors, support, and external collaboratorsRead-only access to projects, resources, deployments, members, and configuration summaries.

Permission Matrix Summary

Capability areaowneradmindeveloperbillingviewer
Project, resource, and deployment readsAllowAllowAllowAllowAllow
Project lifecycle managementAllowAllowAllowDenyDeny
Delivery and runtime operationsAllowAllowAllowDenyDeny
Blueprint marketplace installationAllowAllowAllowDenyDeny
Member invite, role change, remove, restoreAllowNon-owner members onlyDenyDenyDeny
Ownership transfer and organization deletionAllowDenyDenyDenyDeny
Instance maintenanceInstance super admin onlyInstance super admin onlyInstance super admin onlyInstance super admin onlyInstance super admin only

Defaults And Compatibility

  • Newly invited members default to developer, because delivery collaboration is the primary Cloud workflow.
  • Historical Better Auth owner and admin roles map to the same Cloud permissions. Historical member rows remain compatible as developer.
  • Unknown role strings fall back to viewer as the least-privileged permission.
  • Owner governance cannot be bypassed through ordinary role changes. Setting an owner, transferring ownership, or changing/removing owner members must pass ownership-transfer invariants.

Backend Enforcement

Cloud permissions are not UI decoration. Every product operation has a CASL policy. Denied calls return an authorization error with auditable trace attributes such as appaloft.cloud.authz.denied and a denial reason. API, CLI, worker, and Web console entrypoints share the same operation guard.

On this page