Skip to content

Roles and RBAC

Fontana uses role-based access control (RBAC) in two layers:

  1. Zitadel - who the user is, MFA, and which role name they hold (project role grant)
  2. Flow / Convex - what that role can do via a static permission catalog and dynamic role documents

You assign roles in Zitadel (or via SCIM when enabled). Admins define permission sets in Admin → Roles. There are no per-user permission overrides in the app: effective permissions always come from the user’s assigned role.

Zitadel project role (e.g. editor)
→ JWT claim on login
→ Convex storeUser → users.roleId
→ roles.permissions → effective permission list
→ Flow sidebar, pages, and mutations
LayerYou configureFontana stores
IdentityZitadel (SSO, MFA, project role grants, SCIM when enabled)User profile, enabled flag, projected roleId
AuthorizationAdmin → Roles (permission sets), Admin → Users (enable/disable only)Convex roles table, permission checks on every mutation

Zitadel project role keys must match Convex role names exactly (for example admin, editor, viewer, member). If the token carries a role name with no matching Convex role, the user signs in but receives no permissions until an admin creates the role or fixes the Zitadel grant.

Four roles are upserted on every workspace seed. Custom roles you create in Admin are never modified by seed.

RoleTypical usePermission summary
adminPlatform and security administratorsWildcard * (all permissions)
editorBuilders and analysts who create workflows, agents, and knowledgeFull read/write on workflows, agents, skills, Knowledge Graph, files, and evals; AI model selection; no user admin or platform deploy
viewerRead-only operators and reviewersRead workflows, agents, skills, Knowledge Graph, files, evals, and explore; edit own profile
memberMinimal accessExplore, read workflows, edit own profile

Grant these roles in Zitadel as project roles on the Flow application. Provisioning seeds a break-glass admin@fontana.local account with the admin project role on fresh installs.

Permissions use resource:action ids (OAuth2-compatible), defined in the static catalog shipped with Fontana:

ResourceExample actionsWhat it gates
workflowsread, write, deleteCanvas, workflow lists, run and edit
agentsread, write, deleteAI agent definitions and Admin agent surfaces
skillsread, write, deleteSkill packages
knowledge-graphread, write, deleteKnowledge Graph documents and namespaces
evalsread, write, run, deleteEvaluation tests
filesread, write, deleteFile browser and uploads
aipage, select_model, add_model, …Usage page, model approval, defaults
usersread, write, create, delete, enableAdmin → Users and user management
teamsadminAdmin → Teams (create, rename, membership)
platformread, writeAdmin → Deployment, API keys, releases
profileread, write, allow_email_changeUser profile and preferences
explorereadCommunity template explore
audit_logs_ownreadLLM debug for the caller’s chat threads
audit_logs_teamreadLLM debug for any user’s threads (high trust)

Wildcards are supported when editing roles in Admin:

  • * - all permissions (used by default admin)
  • workflows.* - all actions on one resource area

Admin → Roles lets you:

  • Create custom roles with any combination of catalog permissions or wildcards
  • Edit permission sets for custom roles (default seed roles can be edited like any other Convex role document)
  • Delete custom roles that are no longer needed

After you create a custom role in Flow, grant the matching project role name in Zitadel so users receive it on login.

Teams add a second dimension for team-bound workflows:

  • teams:admin - create teams, rename teams, and manage team membership (viewer or editor on the team)
  • Team-bound workflows require both global workflows:* permissions and team membership with the right team role

Personal workflows (teamId unset) follow global RBAC only. See Admin → Teams and Team Workflows in the sidebar.

Flow hides sidebar entries and blocks routes when the signed-in user lacks the required permission. Examples:

RoutePermission required
/workflows, /workflowworkflows:read
/agents, /toolsagents:read
/knowledge-graphknowledge-graph:read
/usage, /threadsai:page
/admin/users, /admin/rolesusers:read
/admin/teamsteams:admin
/admin/deploymentplatform:read
/audit-logs/chat (own)audit_logs_own:read

Backend mutations call the same permission checks; missing permission fails closed with an error.

When an admin disables a user in Admin → Users, effective permissions become empty immediately regardless of role. Re-enable restores permissions from the assigned role.

Privileged RBAC changes (role edits, user enable/disable, team membership) should appear in admin audit logs and, when producers are enabled, the immutable security audit trail. See Immutable audit trail.