Roles and permissions#

Sysand Index uses separate role systems for organizations and projects. Organization roles control the shared publisher namespace. Project roles control one Sysand project.

Organization roles#

Capability

Owner

Manager

Member

Update organization profile

Yes

Yes

No

View organization projects

Yes

Yes

No

View organization members

Yes

Yes

No

View organization teams

Yes

Yes

No

Receive team-derived project access

Yes

Yes

Yes

Invite, remove, or change organization members

Yes

No

No

Create, update, or delete organization teams

Yes

No

No

Add or remove team members

Yes

No

No

Add, change, or remove team project access

Yes

No

No

Administer project access for organization projects

Yes

No

No

Update organization settings or delete the organization

Yes

No

No

Project roles#

Project roles can be direct or team-derived. Direct project roles come from project membership. Team-derived roles come from an organization team with project access.

Organization Owners can administer access for projects in the organization namespace without becoming project members themselves. That lets them add, change, and remove team access from project Members pages, invite direct project members, and change direct project member roles. It does not grant upload access, token access, trusted publishing management, project settings, or project deletion. Those operational privileges still require direct or team-derived project access.

Capability

Owner

Maintainer

Upload releases

Yes

Yes

Manage project API tokens

Yes

Yes

View direct project members and pending invitations

Yes

Yes

View read-only team access for organization projects

Yes

Yes

Invite, remove, or change direct project members

Yes

No

Manage trusted publishers

Yes

No

Update project settings or delete the project

Yes

No

Effective project access#

A user can have more than one access path to the same organization project:

  • direct project membership

  • one or more organization teams with project access

Sysand Index combines those paths and uses the highest project role. Owner is higher than Maintainer. For example, a user with direct Maintainer access and team-derived Owner access is treated as an effective Owner.

Removing a team access path does not remove direct project membership. Removing direct project membership does not remove team-derived access.

Team identifiers#

Organization teams have both an identifier and a display name.

The identifier:

  • is unique within the organization

  • appears in team management URLs

  • is used with the organization namespace in compact labels such as @sensmetry:release-team

  • must be 3-50 characters

  • may contain lowercase ASCII letters, digits, and single hyphens between characters

  • must start and end with a lowercase ASCII letter or digit

The team identifier uses the same constrained shape as organization namespace identifiers:

^[a-z0-9](?:[a-z0-9]|-(?=[a-z0-9])){1,48}[a-z0-9]$

The display name can be up to 255 characters and may contain letters, numbers, spaces, hyphens, apostrophes, and periods.

First project in an organization namespace#

An Organization Owner or Manager can create the first project in an organization namespace with an account API token. The successful first upload makes the uploader a direct project Owner. Later releases require effective project Owner or Maintainer access.

Owner continuity#

Every project must keep at least one effective Owner. Sysand Index blocks membership and team changes that would leave a project without one.

Blocked changes include:

  • demoting or removing the last effective project Owner

  • removing the last member from a team that provides the only Owner path

  • downgrading or removing a team’s Owner project access when it is the only Owner path

  • deleting a team when doing so would leave any organization project without an effective Owner

  • removing an organization member when their team memberships provide the only Owner path for an organization project

For a step-by-step team workflow, see Manage organization team access.