Organizations
Permissions and access scopes
In Tragentics, “what a member can do” and “what a member can see” are separate controls. Feature permissions answer the first question. Access scope answers the second.
Feature permissions
The invite and edit-member flows let the admin toggle specific capabilities instead of assigning a coarse role.
The current permission groups exposed in the UI are:
- Agent Management — manage agents, create agents
- Analytics — view analytics, view audit logs
- Protocols — manage protocols
- Networks & Canvas — manage networks, manage canvas
- Operations — manage schedules, pools, and broadcasts
- Security — manage credentials, manage invites
Permission presets
To speed up admin work, the member editor supports three presets:
- Full access — broad operational control across the organization
- Limited access — hands-on operations without every security-sensitive capability
- View only — read-heavy access focused on analytics and logs
Presets are just a fast starting point. The admin can customize any checkbox afterward.
Permission dependencies
Some permissions only make sense if the member can manage agents at all. In the UI, agent-management-dependent toggles are suppressed when Manage agents is not enabled.
Access scope
Access scope defines the resource boundary the member can operate inside. Tragentics supports three scope patterns:
- All agents — the member can operate across the full organization surface
- By network — the member is constrained to specific networks
- By agent — the member is constrained to specific individual agents
Access scope is required. The invite flow does not silently assume “all.”
Network scope vs agent scope
Network scope is broader. It gives the member visibility through the selected network boundary and the participating agents inside it. Agent scope is narrower and best when you want a member limited to hand-picked agents instead of full network topology.
Defaults for new members
The Settings tab includes default member permissions and default access scope. These defaults pre-populate the invite form, but the admin can still adjust them per invite.
This is especially useful if your organization tends to onboard the same kind of operator repeatedly, such as:
- analysts who only need logs and analytics
- operators who need schedules, pools, and broadcasts but not admin transfer
- specialists who only manage a subset of networks
Why both controls exist
Permissions without access scope would make members too broad. Access scope without permissions would still let members enter surfaces they should not use. Tragentics combines both so the admin can say:
- this member may use analytics, but only for these resources
- this member may manage schedules, but only in these networks
- this member may manage agents, but only these specific agents
Next
Once permissions and scope are understood, the next step is how people actually enter the organization: invites and onboarding →