Atomic Permissions
Guide to setting up roles and permissions for booth members.
Uhpenry secures booth collaboration with an atomic, function-based permission model: every flag represents exactly one capability (a page you may see, a tab you may open, a button you may press, or an endpoint you may call). Roles are simply named bundles of these flags, and you can add or remove flags at the booth level without inventing new role types. This keeps privileges minimal, makes audits precise, and lets features evolve by adding a single, well-named permission.
Unlike coarse role systems, page access is distinct from action permissions being allowed to create a project does not imply you can view the Members page. Enforcement happens in two places: the client gates the UI for good UX, while the server performs authoritative checks on every request and wins on any conflict. The system defaults to fail-closed, returning 404 where you want to hide resource existence and 403 where a locked experience is acceptable.
Quick summary
- Every permission is atomic (single purpose) and function-based, e.g.,
PROJECT_CREATEorMEMBER_INVITE. - Page access is separate from action permissions: having permission to create a user does not imply you can view the members page.
- Enforcement happens both client-side (UI gating) and server-side (authoritative checks). Server wins on conflicts.
- The model is flexible: developers can create unlimited custom rules and map them to roles or users at booth-level granularity.
- No per-seat billing: permissions and membership scale without forcing per-seat pricing.
The Value of Atomic Permissions
Our permission model is intentionally designed at the atomic level. Instead of bundling access into broad roles, each action can be granted (or withheld) individually. This approach ensures:
- Flexibility: Adapt permissions precisely to your team's unique workflows.
- Extensibility: Add new features without overhauling the entire access system; just define one new permission.
- Least Privilege: Give users only the access they need, reducing risk.
- Auditability: Maintain a fine-grained history of who changed what, and when.
Atomic permissions aren't just a detail, they are the foundation that makes the system adaptable, secure, and future-proof.
Permission Tables
Page permissions control access to different sections of the Uhpenry platform.
These are mostly view-level permissions that grant entry to dashboards, detail pages, and navigation tabs.
| Permission | Description |
|---|---|
PAGE_OVERVIEW | Access the main overview dashboard of the platform. |
PAGE_APPLICATIONS | View and manage the list of applications. |
PAGE_SUPPORT | Access the support page for booth-related inquiries. |
PAGE_SUPPORT_DETAIL | View a detailed page of an individual support thread. |
PAGE_PROJECTS | View the list of all projects. |
PAGE_PROJECT_DETAIL | View a detailed page of an individual project. |
PAGE_MANAGE | Access the booth management page. |
PAGE_Snapgate | View the Snapgate disputes page. |
PAGE_Snapgate_DETAIL | View details of a specific Snapgate dispute. |
PAGE_MEMBERS | Access the members management page. |
Actions
Actions represent specific operations users can perform.
They are grouped by functionality for easier mapping.
Platform Actions
| Permission | Description |
|---|---|
PLATFORM_REPORTS | View and manage reports made against booths or users. |
PLATFORM_SUPPORTS | Handle incoming support requests related to the platform. |
PLATFORM_DISPUTES | View and manage disputes raised within the platform. |
PLATFORM_RESOLUTIONS | Access the resolutions management page. |
PLATFORM_RESOLVE | Resolve disputes by issuing official resolutions. |
PLATFORM_DISPUTE_PARTICIPANT | Add or remove participants in a dispute case. |
Booth Actions
| Permission | Description |
|---|---|
BOOTH_DELETE | Delete an existing booth. |
BOOTH_EDIT | Edit booth information. |
BOOTH_UPDATE | Update booth details. |
BOOTH_PUBLISH | Publish a booth to make it public. |
BOOTH_GITHUB | Manage GitHub integration for a booth. |
BOOTH_STRIPE | Manage Stripe payment integration for a booth. |
Project Actions
| Permission | Description |
|---|---|
PROJECT_CREATE | Create a new project. |
PROJECT_DELETE | Delete an existing project. |
PROJECT_EDIT | Edit an existing project's details. |
PROJECT_PUBLISH | Publish a project to make it public. |
PROJECT_UPDATE | Update an existing project's information. |
Project Presets
| Permission | Description |
|---|---|
PRESET_CREATE | Create a new project preset. |
PRESET_EDIT | Edit an existing project preset. |
PRESET_UPDATE | Update details for an existing project preset. |
PRESET_IMPORT | Import a project preset from another source. |
PRESET_PUBLISH | Publish a project preset for public use. |
Disputes & Resolutions
| Permission | Description |
|---|---|
Snapgate_MODERATION | Moderate Snapgate dispute cases. |
REFUNDS | Approve or deny refund requests. |
Members Actions
| Permission | Description |
|---|---|
MEMBER_INFO | View a member's information. |
MEMBER_REMOVE | Remove a team member from the booth or project. |
INVITE_REVOKE | Revoke a single pending member invitation. |
MEMBER_ADD | Add a new team member using their username. |
ROLE_EDIT | Edit the role of an existing team member. |
MEMBER_UNSUSPEND | Restore access for a suspended member. |
DEMOTE_ALL_ADMINS | Remove admin privileges from all admins. |
MEMBER_INVITE | Invite a new team member via email. |
ROLE_CUSTOM | Create or edit custom member roles. |
MEMBERS_REMOVE_ALL | Remove all team members at once. |
INVITES_REVOKE_ALL | Revoke all pending member invitations. |
UNSUSPEND_ALL_ACCESS | Restore access for all members. |
MEMBER_SUSPEND | Suspend access for a specific team member. |
SUSPEND_ALL_ACCESS | Suspend access for all members. |
Member Navigation
| Permission | Description |
|---|---|
TAB_MEMBERS | View the Members tab in team management. |
TAB_AUDIT_LOG | View the Audit Logs tab. |
TAB_INVITATION | View the Invitations tab. |
TAB_ROLES | View and manage the Roles tab. |
TAB_DANGER_ZONE | Access the Danger Zone tab for destructive actions. |
AUDIT_CLEAR | Clear all audit logs. |
IP_STATE_MANAGE | Manage IP address restrictions and allowlists. |
Integrations
| Permission | Description |
|---|---|
BOOTH_GITHUB | Manage GitHub integration for a booth. |
BOOTH_STRIPE | Manage Stripe payment integration for a booth. |
Storage
| Permission | Description |
|---|---|
STORAGE_MANAGE | Manage project, booth, and team storage allocations. |
Exports
| Permission | Description |
|---|---|
EXPORT_PROJECT | Export project-related data. |
EXPORT_TEAM | Export team-related data. |
EXPORT_BOOTH | Export booth-related data. |
Summary
- Pages = entry access (dashboards, detail views, tabs).
- Actions = do something (create, update, delete, resolve, invite, publish, etc.).
- Permissions are atomic no bundles, each stands alone.
So when you join or create a booth on Uhpenry, Atomic Permissions are what make sure everyone has just the right level of access. Instead of one-size-fits-all roles, every action in a booth whether it's viewing a project, inviting new members, publishing a booth, or handling support is controlled by a specific, named permission.
That means:
- Owners (the ones who created the booth) always have full control. They decide who can do what inside the booth.
- Admins can be trusted with wide access, like managing members or updating projects, but without the risk of accidentally removing the booth itself.
- Members can focus on collaboration building, contributing, and accessing the pages they need without unnecessary distractions or risks.
- Support roles can step in to help with disputes, refunds, or moderation, without being able to touch projects or sensitive booth settings.
The benefit to you is simple: you get the workflow you're already used to, just more secure and clearer. If you were part of a team before coming to Uhpenry, you'll find it easy to rebuild the same structure here. Owners can customize roles, assign responsibilities, and fine-tune access so your booth works exactly the way you want it to.
In short: Atomic Permissions put you in control. You don't have to worry about giving away too much access or blocking people unnecessarily. Every permission is intentional, every role is flexible, and every member knows what they can (and can't) do. This keeps booths safe, organized, and aligned with how you want to collaborate.