Team Members & RBAC

Team members and role-based access control (RBAC) enables workspace collaboration with granular permission management.

Quick Start

Add a Member

# Add a member with basic member role
curl -X POST http://localhost:8000/api/v1/workspaces/{workspace_id}/members \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"user_id":"user-abc123","role":"member"}'

Update Member Role

# Promote member to admin
curl -X PATCH http://localhost:8000/api/v1/workspaces/{workspace_id}/members/{user_id} \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"role":"admin"}'

List All Members

# View all workspace members
curl http://localhost:8000/api/v1/workspaces/{workspace_id}/members \
  -H "Authorization: Bearer $TOKEN"

How It Works

Role	Add Members	Manage Settings	Create Issues	Remove Members
Owner	✅	✅	✅	✅
Admin	✅	✅	✅	✅
Member	❌	❌	✅	❌

API Endpoints

Add Member

Add a new member to the workspace with a specific role. Requires owner role: assigning role: "admin" or role: "owner" now returns 403 Forbidden for non-owners with detail "Only owners can add admin or owner roles". Member-to-member role additions still work for admins.

curl -X POST http://localhost:8000/api/v1/workspaces/{workspace_id}/members \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "user_id": "user-abc123",
    "role": "member"
  }'

List Members

Retrieve all members in the workspace.

curl http://localhost:8000/api/v1/workspaces/{workspace_id}/members \
  -H "Authorization: Bearer $TOKEN"

Update Member Role

Change a member’s role within the workspace. Requires owner role: assigning role: "admin" or role: "owner" now returns 403 Forbidden for non-owners with detail "Only owners can assign admin or owner roles". Member-to-member role changes still work for admins.

curl -X PATCH http://localhost:8000/api/v1/workspaces/{workspace_id}/members/{user_id} \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "role": "admin"
  }'

Remove Member

Remove a member from the workspace.

curl -X DELETE http://localhost:8000/api/v1/workspaces/{workspace_id}/members/{user_id} \
  -H "Authorization: Bearer $TOKEN"

Role Hierarchy

Role Capabilities

Capability	Owner	Admin	Member
Member Management
Add members	✅	✅	❌
Remove members	✅	✅	❌
Update member→member roles	✅	✅	❌
Assign admin or owner role	✅	❌	❌
Workspace Settings
Modify workspace settings	✅	✅	❌
Delete workspace	✅	❌	❌
Content Management
Create issues/tasks	✅	✅	✅
Edit own content	✅	✅	✅
Edit others’ content	✅	✅	❌

Schema Reference

Add Member Request

Field	Type	Required	Description
`user_id`	`string`	✅	Unique identifier for the user
`role`	`string`	✅	Role to assign: `owner`, `admin`, or `member`

{
  "user_id": "user-abc123",
  "role": "member"
}

Update Role Request

Field	Type	Required	Description
`role`	`string`	✅	New role: `owner`, `admin`, or `member`

{
  "role": "admin"
}

Member Response

Field	Type	Description
`id`	`string`	Unique member ID
`workspace_id`	`string`	Workspace identifier
`user_id`	`string`	User identifier
`role`	`string`	Current role
`created_at`	`string`	ISO 8601 timestamp

{
  "id": "mem-abc123",
  "workspace_id": "ws-abc123",
  "user_id": "user-abc123",
  "role": "admin",
  "created_at": "2025-01-01T00:00:00"
}

Best Practices

Principle of Least Privilege

Always assign the minimum role required for a user’s responsibilities. Start with member role and promote only when necessary for their workspace functions.

Regular Role Audits

Periodically review member roles and permissions. Remove inactive members and adjust roles based on changing responsibilities within the workspace.

Owner Role Management

Limit the number of owners in a workspace. Only owners can promote members to admin or owner roles - this restriction was tightened in security batch 3 to prevent privilege escalation by admin users.

Secure Token Management

Always use secure JWT tokens for API authentication. Store tokens securely and rotate them regularly to maintain workspace security.See Authentication Configuration for JWT secret setup and security requirements.

Testing

Run the member management tests to verify functionality:

pytest tests/test_services.py::TestMemberService -v

Expected test coverage includes:

Adding members with different roles
Role hierarchy validation
Permission enforcement
Member removal workflows

Workspace Management

Learn about workspace creation and management

Authentication

Understand JWT token authentication

Documentation Index

​Quick Start

​How It Works

​API Endpoints

​Add Member

​List Members

​Update Member Role

​Remove Member

​Role Hierarchy

​Role Capabilities

​Schema Reference

​Add Member Request

​Update Role Request

​Member Response

​Best Practices

​Testing

​Related

Workspace Management

Authentication

Quick Start

How It Works

API Endpoints

Add Member

List Members

Update Member Role

Remove Member

Role Hierarchy

Role Capabilities

Schema Reference

Add Member Request

Update Role Request

Member Response

Best Practices

Testing

Related