Runtime Roles
| Role | Access Level | Can Record Steps | Notifications |
|---|---|---|---|
| Owner | Full access | ✓ Yes | All events |
| Participant | Read/write | ✓ Yes | Violations, completions |
| Observer | Read-only | ✗ No | Completions only |
| External | Own data only | ✓ Yes (own) | Own events only |
Permission Categories
| Category | Permission | Description |
|---|---|---|
| Thread | View thread | Read thread metadata and steps |
| Modify thread | Add references, change metadata | |
| Manage access | Grant/revoke access to others | |
| Step | View steps | Read all step data and context |
| Record steps | Add new steps to thread | |
| Own steps | Access only steps you created | |
| Notification | Violations | Receive rule violation events |
| Completions | Receive step completion events | |
| Failures | Receive step failure events |
Best Practices
- Principle of least privilege - Grant minimum necessary access
- Role-based access - Use roles instead of individual permissions
- Regular audits - Review and remove unnecessary access
- Temporary access - Grant time-limited access when needed