Skip to main content
Activepieces implements Role-Based Access Control (RBAC) at both platform and project levels, providing fine-grained control over user permissions.

User Roles Hierarchy

1

Platform Roles

Global roles that apply across all projects:
  • ADMIN: Full platform control
  • OPERATOR: Manage projects and users
  • MEMBER: Regular user access
2

Project Roles

Project-specific roles with granular permissions:
  • Admin: Full project control
  • Editor: Create and modify flows
  • Viewer: Read-only access

Default Project Roles

Activepieces provides three built-in project roles:

Admin Role

Full control over the project:Permissions:
  • ✅ READ_FLOW / WRITE_FLOW
  • ✅ UPDATE_FLOW_STATUS
  • ✅ READ_APP_CONNECTION / WRITE_APP_CONNECTION
  • ✅ READ_PROJECT_MEMBER / WRITE_PROJECT_MEMBER
  • ✅ WRITE_INVITATION / READ_INVITATION
  • ✅ WRITE_PROJECT_RELEASE / READ_PROJECT_RELEASE
  • ✅ READ_RUN / WRITE_RUN
  • ✅ WRITE_ALERT / READ_ALERT
  • ✅ WRITE_PROJECT / READ_PROJECT
  • ✅ WRITE_FOLDER / READ_FOLDER
  • ✅ READ_TABLE / WRITE_TABLE
  • ✅ READ_MCP / WRITE_MCP
Use Cases:
  • Project owners
  • Team leads
  • Department heads

Permission Model

Activepieces uses a comprehensive permission system:

Resource Permissions

  • READ_FLOW: View flow definitions
  • WRITE_FLOW: Create and edit flows
  • UPDATE_FLOW_STATUS: Enable/disable flows
  • READ_APP_CONNECTION: View connections (without credentials)
  • WRITE_APP_CONNECTION: Create and manage connections
  • READ_PROJECT_MEMBER: View project members
  • WRITE_PROJECT_MEMBER: Add/remove members, change roles
  • READ_INVITATION: View pending invitations
  • WRITE_INVITATION: Send and manage invitations
  • READ_RUN: View execution logs
  • WRITE_RUN: Trigger manual runs, retry failed runs
  • READ_PROJECT: View project details
  • WRITE_PROJECT: Modify project settings
  • READ_PROJECT_RELEASE: View releases
  • WRITE_PROJECT_RELEASE: Create and deploy releases
  • READ_FOLDER / WRITE_FOLDER: Manage flow organization
  • READ_ALERT / WRITE_ALERT: Configure alerting
  • READ_TABLE / WRITE_TABLE: Access project data storage
  • READ_MCP / WRITE_MCP: Manage MCP integrations

Custom Roles

Create custom roles with specific permission sets: 
{
  name: "Integration Specialist",
  type: RoleType.CUSTOM,
  platformId: "platform_123",
  permissions: [
    "READ_FLOW",
    "WRITE_FLOW",
    "READ_APP_CONNECTION",
    "WRITE_APP_CONNECTION",
    "READ_RUN"
  ]
}
Custom roles are available in Enterprise Edition and allow you to create roles tailored to your organization’s needs.

Managing Project Members

Adding Members

1

Invite User

Send an invitation with a role:
{
  email: "user@company.com",
  projectId: "proj_abc123",
  projectRoleId: "role_editor"
}
2

User Accepts

User receives email and accepts invitation
3

Member Created

Project member record is created:
{
  id: "member_xyz",
  userId: "user_123",
  projectId: "proj_abc123",
  projectRoleId: "role_editor",
  platformId: "platform_123"
}

Updating Member Roles

Change a member’s role: 
// Promote to Admin
{
  id: "member_xyz",
  projectId: "proj_abc123",
  role: "Admin"
}

Removing Members

Delete project member to revoke access: 
DELETE /v1/projects/{projectId}/members/{memberId}

Role Resolution Logic

Activepieces determines project access through a hierarchy:
1

Project Owner Check

If user is the project owner → Admin role
2

Platform Admin Check

If user is Platform Admin → Admin role
3

Platform Operator Check

If user is Platform Operator → Editor role
4

Project Member Check

If user is a project member → Use assigned project role
5

No Access

Otherwise → No access to project
Platform-level roles (Admin, Operator) automatically grant elevated permissions in all projects within that platform.

Team Management

Listing Members

Get all members with their roles: 
{
  data: [
    {
      id: "member_1",
      user: {
        id: "user_123",
        email: "alice@company.com",
        firstName: "Alice",
        lastName: "Smith"
      },
      projectRole: {
        name: "Admin",
        permissions: [...]
      },
      project: {
        id: "proj_abc123",
        displayName: "Marketing Team"
      }
    }
  ],
  next: null
}

User Analytics

Track active users per project: 
{
  totalUsers: 8,      // All members
  activeUsers: 5      // Members who logged in recently
}

User Invitations

Invitation Flow

1

Create Invitation

{
  email: "newuser@company.com",
  type: InvitationType.PROJECT,
  platformId: "platform_123",
  projectId: "proj_abc123",
  projectRoleId: "role_editor"
}
2

Email Sent

Invitation email sent to user
3

User Signs Up

New user creates account or existing user logs in
4

Provisioning

System automatically:
  • Creates project member
  • Assigns specified role
  • Deletes invitation

Invitation Types

Invites user to the platform without specific project:
{
  type: InvitationType.PLATFORM,
  platformRole: PlatformRole.MEMBER
}

Permission Checking

Implement permission checks in your code: 
// Check if user has specific permission
const hasPermission = projectRole.permissions.includes(
  Permission.WRITE_FLOW
)

// Get user's role in project
const role = await projectMemberService.getRole({
  userId: "user_123",
  projectId: "proj_abc123"
})

API Reference

curl -X GET 'https://api.activepieces.com/v1/projects/{projectId}/members' \
  -H 'Authorization: Bearer {token}'

Best Practices

Least Privilege

Grant users the minimum permissions needed for their role.

Regular Audits

Review member lists and permissions quarterly.

Role Standardization

Use default roles when possible; create custom roles sparingly.

Owner Designation

Assign project ownership to responsible team leads.

Project Management

Set up project structure

SSO Configuration

Enable single sign-on

Audit Logs

Track permission changes