Authorization & Access Control
Authorization determines what you can do after proving who you are through authentication.
Solatis uses two-layer authorization:
Layer 1: Role-Based Access Control (RBAC)
Your role in a workspace determines your capabilities.
Workspace Roles
| Role | Documents | Agents | Users | Settings | Billing |
|---|---|---|---|---|---|
| Owner | Create/Edit/Delete | Manage | Invite/Remove | Full Control | Full Access |
| Admin | Create/Edit/Delete | Manage | Invite/Remove | Full Control | View Only |
| Editor | Create/Edit/Delete | View | None | View Only | None |
| Viewer | View Only | View | None | None | None |
| Guest | View Specific | None | None | None | None |
Role Assignment
Invite someone with a specific role:
Settings → Team & Access → Invite Members
1. Enter email address
2. Select role
3. Choose workspaces
4. Click "Send Invite"2
3
4
5
Change someone's role:
Settings → Team & Access
1. Find person in list
2. Click role dropdown
3. Select new role
4. Changes take effect immediately2
3
4
5
Layer 2: Row-Level Security (RLS)
Control access to specific documents beyond just workspace access.
How RLS Works
Even if someone has access to a workspace, they may not see all documents:
Example:
- Workspace has 100 documents
- 80 are public (everyone sees)
- 15 are restricted (legal team only)
- 5 are confidential (executives only)
An Editor sees only the 80 public documents. The restricted documents are hidden.
Setting Document Permissions
Restrict access to a document:
1. Open the document
2. Click 🔒 "Permissions" button
3. Click "Restrict Access"
4. Select who can see it:
- Specific people (alice@, bob@, etc)
- By role (Editors and above)
- By team (Marketing team only)
5. Click "Save"2
3
4
5
6
7
8
Who can see what:
| Can See | Cannot See |
|---|---|
| Document in search results | Restricted document shows in search |
| Document list | None - document is hidden |
| Can open via link | Link access denied |
| Document details | Cannot view any content |
RLS is Enforced at Database Level
Even if someone:
- ❌ Knows the document ID
- ❌ Has the direct link
- ❌ Tries API access
They still can't access the document without permission. It's enforced by the database before any data is returned.
Permission Hierarchies
Organization Level
The organization owner controls:
- Billing and subscription
- Organization-wide settings
- Team management
Workspace Level
Workspace owners/admins control:
- Who can access the workspace
- What roles people have
- Workspace settings
- Default AI model
Document Level
Document creators can:
- Share with specific people
- Set permissions by role
- Restrict to confidential content
Common Permission Scenarios
Scenario 1: New Team Member
Timeline:
Day 1: Invited with "Editor" role to "Main Workspace"
- Can see all public documents
- Can create new documents
- Cannot modify workspace settings
Day 3: Added to "Projects" workspace
- Now has access to Projects workspace documents
- Roles are per-workspace (could be Viewer in one, Editor in another)
Day 10: Manager restricts access to budget spreadsheet
- Cannot see budget document anymore
- But can see other documents
- Cannot access via direct link
Scenario 2: Confidential Information
Setup for sensitive documents:
1. Create document with confidential info
2. Open document
3. Click Permissions
4. Restrict to: Finance Team (5 people)
5. Finance team sees it, others don't
6. Even if they know document ID, database says "no access"2
3
4
5
6
Scenario 3: Multi-Workspace Access
Employee with different roles in different workspaces:
- Main Workspace: Editor (can create/edit documents)
- Products Workspace: Viewer (read-only)
- Confidential Workspace: No Access (cannot see it)
Each workspace maintains separate permissions.
Best Practices
For Admins
✅ Do:
- Start with Viewer role, escalate if needed
- Use Row-Level Security for sensitive data
- Review access quarterly
- Document why restrictions exist
- Remove access when people leave
❌ Don't:
- Give everyone Owner/Admin roles
- Share credentials between people
- Forget to restrict sensitive docs
- Leave access after people leave
For Everyone
✅ Do:
- Ask manager if unsure about access
- Report broken access controls
- Don't share passwords
- Respect document restrictions
❌ Don't:
- Try to bypass permissions
- Share credentials
- Access documents you don't need
- Assume you have access you don't
Troubleshooting
Can't See a Document
Check:
1. Are you in the right workspace?
2. Is the document restricted?
- If yes, ask the document owner
3. Does your role have permission?
- Viewers can only view
- Editors can view/edit/delete2
3
4
5
6
Can't Make Someone an Admin
Reasons:
- You're not an Owner
- Solution: Ask workspace owner
Someone Still Has Access After Removal
Actions taken:
1. Immediately signed out all sessions
2. Revoked all active tokens
3. Changes take effect immediately
4. If still seeing: clear cache, sign out completely2
3
4