Organizations

Permissions and access scopes

In Tragentics, “what a member can do” and “what a member can see” are separate controls. Feature permissions answer the first question. Access scope answers the second.

Feature permissions

The invite and edit-member flows let the admin toggle specific capabilities instead of assigning a coarse role.

The current permission groups exposed in the UI are:

  • Agent Management — manage agents, create agents
  • Analytics — view analytics, view audit logs
  • Protocols — manage protocols
  • Networks & Canvas — manage networks, manage canvas
  • Operations — manage schedules, pools, and broadcasts
  • Security — manage credentials, manage invites

Permission presets

To speed up admin work, the member editor supports three presets:

  • Full access — broad operational control across the organization
  • Limited access — hands-on operations without every security-sensitive capability
  • View only — read-heavy access focused on analytics and logs

Presets are just a fast starting point. The admin can customize any checkbox afterward.

Permission dependencies

Some permissions only make sense if the member can manage agents at all. In the UI, agent-management-dependent toggles are suppressed when Manage agents is not enabled.

This keeps the permission model coherent. For example, a member should not be able to manage credentials or protocols for agents they are not allowed to manage in the first place.

Access scope

Access scope defines the resource boundary the member can operate inside. Tragentics supports three scope patterns:

  • All agents — the member can operate across the full organization surface
  • By network — the member is constrained to specific networks
  • By agent — the member is constrained to specific individual agents

Access scope is required. The invite flow does not silently assume “all.”

Network scope vs agent scope

Network scope is broader. It gives the member visibility through the selected network boundary and the participating agents inside it. Agent scope is narrower and best when you want a member limited to hand-picked agents instead of full network topology.

Defaults for new members

The Settings tab includes default member permissions and default access scope. These defaults pre-populate the invite form, but the admin can still adjust them per invite.

This is especially useful if your organization tends to onboard the same kind of operator repeatedly, such as:

  • analysts who only need logs and analytics
  • operators who need schedules, pools, and broadcasts but not admin transfer
  • specialists who only manage a subset of networks

Why both controls exist

Permissions without access scope would make members too broad. Access scope without permissions would still let members enter surfaces they should not use. Tragentics combines both so the admin can say:

  • this member may use analytics, but only for these resources
  • this member may manage schedules, but only in these networks
  • this member may manage agents, but only these specific agents

Next

Once permissions and scope are understood, the next step is how people actually enter the organization: invites and onboarding →