Role Actions
Convex represents every permission you can grant on a team, project, or deployment as a named role action. Both the built-in team roles (Admin and Developer) and custom roles are defined in terms of the same set of role actions, so this page works as a reference for both:
- If you're using built-in roles, scan the columns below to see which permissions each role gets.
- If you're writing a custom role, pick the action names you want to allow or deny.
Conventions
Each table lists role actions for one kind of resource, with a column per built-in role:
- Team Admin is granted to any team member with the built-in Admin role.
- Team Developer is granted to any team member with the built-in Developer role. Members assigned custom roles do not receive Developer-level access.
- Project Admin is granted to any team member who additionally holds the Project Admin role on the specific project that owns the resource. Project Admin sits alongside the member's built-in or custom role; Team Admins implicitly have Project Admin on every project.
Cells use these markers:
- ✓ - the role grants this action.
- ✗ - the role does not grant this action.
- ✓ non-prod - the role grants this action only on non-production deployments. Granting the action on a production deployment requires Team Admin or Project Admin on that project.
- N/A - the action does not apply to that role (e.g. Project Admin on team-scoped actions).
Team
Resource leaf: team:*.
| Action | Description | Team Admin | Team Developer |
|---|---|---|---|
team:update | Change the team name and slug. | ✓ | ✗ |
team:delete | Delete the team. | ✓ | ✗ |
team:auditLog:view | View the team's audit log. | ✓ | ✓ |
team:usage:view | View the team's usage page. | ✓ | ✓ |
Billing
Resource leaf: billing:*.
| Action | Description | Team Admin | Team Developer |
|---|---|---|---|
billing:paymentMethod:update, billing:contact:update, billing:address:update | Change billing details. | ✓ | ✗ |
billing:subscription:changePlan | Create, resume, cancel, or change the team's subscription plan. | ✓ | ✗ |
billing:spendingLimit:update | Set warning and disable spending limits. | ✓ | ✗ |
billing:view | Read billing details. | ✓ | ✓ |
billing:invoices:view | Read invoices. | ✓ | ✗ |
OAuth applications
Resource leaf: oauthApplication:*.
| Action | Description | Team Admin | Team Developer |
|---|---|---|---|
oauthApplication:create, oauthApplication:update, oauthApplication:delete | Manage OAuth applications. | ✓ | ✗ |
oauthApplication:generateClientSecret | Generate a client secret for an app. | ✓ | ✗ |
oauthApplication:view | View OAuth applications. | ✓ | ✓ |
SSO
Resource leaf: sso:*.
| Action | Description | Team Admin | Team Developer |
|---|---|---|---|
sso:enable, sso:disable, sso:update | Manage the SSO configuration. | ✓ | ✗ |
sso:view | View the SSO configuration. | ✓ | ✓ |
Team integrations
Resource leaf: integration:*.
| Action | Description | Team Admin | Team Developer |
|---|---|---|---|
integration:create, integration:update, integration:delete | Manage team-level integrations. | ✓ | ✗ |
integration:view | View team-level integrations. | ✓ | ✓ |
Members
Resource leaf: member:*.
| Action | Description | Team Admin | Team Developer |
|---|---|---|---|
member:view | View the team's members. | ✓ | ✓ |
member:invite, member:cancelInvitation, member:remove | Manage team membership. | ✓ | ✗ |
member:updateRole | Change a team member's team role. | ✓ | ✗ |
Custom roles
Resource leaf: customRole:*.
| Action | Description | Team Admin | Team Developer |
|---|---|---|---|
customRole:view | View the team's custom role definitions. | ✓ | ✓ |
customRole:create, customRole:update, and customRole:delete are reserved
for Team Admins and cannot be granted through a custom role.
Projects
Resource leaf: project:* (or project:slug=…, project:id=…). Project Admin
applies on the specific project the action targets.
| Action | Description | Team Admin | Team Developer | Project Admin |
|---|---|---|---|---|
project:create | Create new projects. | ✓ | ✓ | N/A |
project:view | View projects in the team. | ✓ | ✓ | ✓ |
project:update, project:delete | Update or delete a project. | ✓ | ✗ | ✓ |
project:updateMemberRole | Assign or remove the Project Admin role on a project. | ✓ | ✗ | ✓ |
project:transfer, project:receive | Transfer projects between teams. | ✓ | ✗ | ✗ |
Default project environment variables
Resource leaf: project:…:defaultEnvironmentVariable:*.
| Action | Description | Team Admin | Team Developer | Project Admin |
|---|---|---|---|---|
defaultEnvironmentVariable:view | View default project environment variables. | ✓ | ✓ | ✓ |
defaultEnvironmentVariable:create, defaultEnvironmentVariable:update, defaultEnvironmentVariable:delete | Manage default project environment variables. | ✓ | ✗ | ✓ |
Deployments
Resource leaf: project:…:deployment:* (optionally filtered with selectors like
:type=prod).
Most deployment-modifying actions are gated by whether the deployment is production. Team Developers can perform them on dev, preview, and custom deployments via team membership, but production deployments additionally require Team Admin or Project Admin on the owning project. The same split applies to data-plane actions: on a production deployment, a Team Developer gets a read-only deployment identity unless they're also Project Admin on that project.
Lifecycle and configuration
| Action | Description | Team Admin | Team Developer | Project Admin |
|---|---|---|---|---|
deployment:view | View deployments. | ✓ | ✓ | ✓ |
deployment:create | Create deployments. | ✓ | ✓ non-prod | ✓ |
deployment:delete | Delete a deployment. | ✓ | ✓ non-prod | ✓ |
deployment:transfer, deployment:receive | Transfer a deployment between projects. | ✓ | ✓ non-prod | ✓ |
deployment:updateReference, deployment:updateDashboardEditConfirmation, deployment:updateExpiresAt, deployment:updateSendLogsToClient, deployment:updateClass, deployment:updateIsDefault, deployment:updateType | Update individual deployment settings. Each gates a single field on the deployment update API. | ✓ | ✓ non-prod | ✓ |
deployment:customDomain:view | View custom domains. | ✓ | ✓ | ✓ |
deployment:customDomain:create, deployment:customDomain:delete | Manage custom domains. | ✓ | ✓ non-prod | ✓ |
deployment:insights:view | View deployment insights. | ✓ | ✓ | ✓ |
deployment:integrations:view | View deployment-scoped integrations. | ✓ | ✓ | ✓ |
deployment:integrations:write | Modify deployment-scoped integrations. | ✓ | ✓ non-prod | ✓ |
Data plane and runtime
These actions run against the deployment itself. On production deployments, a Team Developer who isn't also Project Admin gets a read-only deployment identity.
| Action | Description | Team Admin | Team Developer | Project Admin |
|---|---|---|---|---|
deployment:deploy | Push code to a deployment. | ✓ | ✓ non-prod | ✓ |
deployment:pause, deployment:unpause | Pause or resume function execution. | ✓ | ✓ non-prod | ✓ |
deployment:logs:view, deployment:metrics:view, deployment:auditLog:view | Read deployment logs, metrics, and audit log. | ✓ | ✓ | ✓ |
deployment:env:view | Read the deployment's environment variables. | ✓ | ✓ | ✓ |
deployment:env:write | Modify the deployment's environment variables. | ✓ | ✓ non-prod | ✓ |
deployment:data:view | Read the deployment's database tables. | ✓ | ✓ | ✓ |
deployment:data:write | Modify the deployment's database tables. | ✓ | ✓ non-prod | ✓ |
deployment:functions:runInternalQueries, deployment:functions:runTestQuery | Run internal queries or test queries against the deployment. | ✓ | ✓ | ✓ |
deployment:functions:runInternalMutations, deployment:functions:runInternalActions | Run internal mutations or actions against the deployment. | ✓ | ✓ non-prod | ✓ |
deployment:functions:actAsUser | Run functions as another authenticated user. | ✓ | ✓ non-prod | ✓ |
Backups
| Action | Description | Team Admin | Team Developer | Project Admin |
|---|---|---|---|---|
deployment:backups:view, deployment:backups:download | View and download deployment backups. | ✓ | ✓ | ✓ |
deployment:backups:create, deployment:backups:import, deployment:backups:delete | Create, restore, or delete backups. | ✓ | ✓ non-prod | ✓ |
deployment:backups:configurePeriodic, deployment:backups:disablePeriodic | Configure or disable periodic backups. | ✓ | ✓ non-prod | ✓ |
Access tokens
Access tokens nest under their owning resource. The actions follow the same
prefix as the owner; team:token:* for team-scoped tokens, project:token:*
for project-scoped, and deployment:token:* for deployment-scoped.
Team-scoped tokens (resource leaf: team:*:token:*)
| Action | Description | Team Admin | Team Developer |
|---|---|---|---|
team:token:create, team:token:update, team:token:delete, team:token:view | Manage team-scoped access tokens. | ✓ | ✗ |
Members can always update or delete tokens they personally created, regardless of their team role.
Project-scoped tokens (resource leaf: project:…:token:*)
| Action | Description | Team Admin | Team Developer | Project Admin |
|---|---|---|---|---|
project:token:create, project:token:update, project:token:delete, project:token:view | Manage project-scoped access tokens. | ✓ | ✓ | ✓ |
Deployment-scoped tokens (resource leaf: project:…:deployment:…:token:*)
| Action | Description | Team Admin | Team Developer | Project Admin |
|---|---|---|---|---|
deployment:token:create, deployment:token:update, deployment:token:delete, deployment:token:view | Manage deployment-scoped access tokens. | ✓ | ✓ non-prod | ✓ |