Nolixan

Team, roles & RBAC

Invite teammates, assign roles, and define custom roles with a deny-list permission model and production-scoped permissions.

Nolixan uses a deny-list RBAC model: a role starts from a base and is denied specific permissions. Production-sensitive actions (writes, secret reads, deletes) are gated by dedicated permissions, so you can let people work in development while locking down production.

Built-in roles

RoleAccess
administratorFull access (no denials)
development_full_accessEverything except production access
production_supportRead-only production; no admin, no secret reads

Manage the team

Routes under /api/v1/team (JWT auth).

MethodPathPurpose
GET/team/Account + members (id, name, email, role, active)
PATCH/team/users/{user_id}Change a member's role — body { "role": "…" }
DELETE/team/users/{user_id}Remove a member

Changing roles requires canUpdateTeamMember; removal requires canRemoveTeamMember.

Custom roles

Define your own roles by starting from a base role and denying specific permissions (and, optionally, attribute conditions). Routes under /api/v1/roles (canManageTeam).

MethodPathPurpose
GET/roles/List custom roles
POST/roles/Create — { name, base_role, denied_permissions[], attribute_conditions{} }
PATCH/roles/{role_id}Update
DELETE/roles/{role_id}Delete
curl -X POST https://your-host/api/v1/roles/ \
  -H "Authorization: Bearer <JWT>" -H "Content-Type: application/json" \
  -d '{
    "name": "billing-readonly",
    "base_role": "production_support",
    "denied_permissions": ["canManageBilling", "canChangePlan"]
  }'

Key permissions

  • Admin: canManageTeam, canInviteMember, canManageBilling, canManagePolicies, canManageAgents, canCreateEnvironment.
  • Production writes: canWriteProdConnections, canWriteProdIntegrations, canWriteProdWebhooks, canDeleteProd*.
  • Production secrets: canReadProdSecretKey, canReadProdConnectionCredentials.

These permissions are enforced on every route — combined with separation of duties, the person who requests a sensitive action can't be the one who approves it.

On this page