RBAC Model and Permissions

Resources

• project
• flow
• step
• stream
• state
• logs
• metrics
• traces
• config
• diagnostics
• plugins
• deployments
• users
• roles

Actions

• read
• write
• execute
• manage
• admin

Permission Naming

• resource:action
• Examples: flow:write, diagnostics:read, config:manage.

Roles

• platform_admin
• security_admin
• org_admin
• operator
• developer
• workbench_user
• viewer
• support
• service_account_ci
• service_account_runtime

Role Permissions

• platform_admin: *:*
• security_admin: roles:manage, users:manage, config:manage, diagnostics:read, logs:read, metrics:read, traces:read
• org_admin: project:manage, users:manage, roles:manage, deployments:manage, config:manage
• operator: deployments:manage, logs:read, metrics:read, traces:read, diagnostics:read
• developer: flow:write, step:write, stream:write, state:read, logs:read, metrics:read, traces:read, diagnostics:read
• workbench_user: flow:write, step:write, diagnostics:read
• viewer: flow:read, step:read, logs:read, metrics:read, traces:read
• support: logs:read, diagnostics:read, metrics:read, traces:read
• service_account_ci: deployments:manage, config:read, flow:read, step:read
• service_account_runtime: stream:execute, state:execute, logs:write, metrics:write, traces:write

Endpoint and Capability Mapping

• GET /__motia/step/:id: diagnostics:read
• POST /__motia/flows/:id/config: diagnostics:write
• GET /motia/analytics/*: diagnostics:read
• Stream subscriptions: stream:read or stream:execute
• Stream mutation operations: stream:write
• State get/set/delete: state:execute
• Plugin registry changes: plugins:manage

Enforcement Points

• HTTP middleware for route-level authorization.
• WebSocket handshake and per-subscription authorization.
• Event adapter wiring for emit/subscribe actions.
• Workbench UI for feature visibility and client-side gating.

Notes

• Roles can be scoped per project for multi-tenant deployments.
• Permissions are additive. Deny lists should be used sparingly.