RBAC and GAC

[danciaclara]

Description

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

Test Scenarios

References

Summary by CodeRabbit

• Documentation

  • Reorganized and expanded documentation for roles and permissions with new comprehensive guides covering member roles, permission schemes, custom roles, and detailed permission matrices.
  • Updated terminology: "Member" role renamed to "Contributor"; "Guest view access" replaced by "Commenter" role.
  • Added guidance for custom roles and improved clarity on how permissions work across workspace and project scopes.

• Chores

  • Updated navigation structure and URL redirects for documentation consistency.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Apr 15, 2026 2:52pm

[coderabbitai]

Warning

Rate limit exceeded

@danciaclara has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 36 minutes and 10 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 36 minutes and 10 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c7c90405-02e7-4067-8719-251b9da8b4b3

📥 Commits

Reviewing files that changed from the base of the PR and between 86f492f and b87764a.

📒 Files selected for processing (8)

• docs/.vitepress/config.ts
• docs/core-concepts/projects/manage-project-members.md
• docs/core-concepts/workspaces/members.md
• docs/roles-and-permissions/custom-roles.md
• docs/roles-and-permissions/member-roles.md
• docs/roles-and-permissions/overview.md
• docs/roles-and-permissions/permission-schemes.md
• docs/roles-and-permissions/permissions-matrix.md

📝 Walkthrough

Walkthrough

This PR reorganizes documentation around roles, permissions, and member management. It moves content from workspaces-and-users/ to a new roles-and-permissions/ directory, updates role terminology (Member → Contributor), adds comprehensive guides for custom roles and permission schemes, and implements Vercel redirects for backward compatibility.

Changes

Cohort / File(s)	Summary
Navigation & Configuration docs/.vitepress/config.ts, vercel.json	Updated VitePress sidebar to rename "Members" section to "Roles and permissions" with new link to overview page; added Vercel redirects from old workspaces-and-users/* paths to new roles-and-permissions/* paths.
Removed Documentation docs/workspaces-and-users/permissions.md, docs/workspaces-and-users/roles.md	Removed legacy permissions matrix and roles reference documentation (totaling ~2044 lines) in preparation for new consolidated structure.
New Roles & Permissions Documentation docs/roles-and-permissions/overview.md, docs/roles-and-permissions/member-roles.md, docs/roles-and-permissions/permission-schemes.md, docs/roles-and-permissions/custom-roles.md, docs/roles-and-permissions/permissions-matrix.md	Added five new comprehensive documentation pages covering RBAC model overview, system/custom role reference, permission scheme creation, custom role management, and exhaustive role-by-role permissions matrix (~550 lines new).
Updated Workspace & Project Documentation docs/core-concepts/workspaces/overview.md, docs/core-concepts/workspaces/members.md, docs/core-concepts/projects/manage-project-members.md, docs/introduction/tutorials/invite-members.md	Updated role references, terminology (Member → Contributor), URL links to new documentation structure, CSV import examples, and "Last admin protection" guardrails.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A warren of roles now reorganized clear,
Permission schemes flourish, the structure so dear,
From Contributors dancing to Custom roles new,
The permissions matrix blooms in full view!
Old paths now redirect with redirects so swift—
A documentation rebirth, what a delightful gift! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'RBAC and GAC' is extremely vague and does not meaningfully convey what the changeset actually contains—a comprehensive restructuring of documentation around roles, permissions, workspace membership, and related configuration changes.	Revise the title to be more descriptive of the actual changes, such as 'Reorganize documentation: consolidate roles and permissions content under new RBAC/GAC structure' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rbac-and-gac

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (2)

docs/roles-and-permissions/custom-roles.md (1)

89-91: “One-time inheritance” label is misleading for described behavior.

The note describes ongoing linkage to system scheme updates, not one-time inheritance. Consider renaming the callout title to avoid confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/roles-and-permissions/custom-roles.md` around lines 89 - 91, The callout
title "One-time inheritance" is misleading because the text describes live
linkage to the system scheme; change the callout header token from "One-time
inheritance" (the ::: info block title) to a clearer label such as "Linked
inheritance" or "Live inheritance" and update the callout body if necessary to
match the new title so the header and description are consistent (look for the
::: info One-time inheritance block and replace the title token and any
contradictory wording).

docs/roles-and-permissions/member-roles.md (1)

54-56: Consider varying sentence starts in this paragraph.

Minor readability nit: consecutive sentences begin with “Project Admin...”.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/roles-and-permissions/member-roles.md` around lines 54 - 56, The two
consecutive sentences both start with "Project Admin", making the paragraph
repetitive; edit the sentences that reference "Project Admin" and "Project
Admins" to vary sentence openings — e.g., keep the first sentence describing
permissions ("Project Admin has full control..."), change the second to start
with a pronoun or role-based lead ("They can also delete or archive the project
itself.") or restructure into one fluent sentence, and ensure the following
guidance sentence ("Use Project Admin for...") remains distinct; update
occurrences of "Project Admin" and "Project Admins" in this paragraph
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/roles-and-permissions/custom-roles.md`:
- Around line 12-13: The markdown references dead routes
"/roles-and-permissions/member-roles-and-permissions" and
"/workspaces-and-users/create-permission-schemes"; update those anchor URLs to
the current roles-and-permissions routes used elsewhere in the docs (replace
each occurrence at the mentions around the first block and also occurrences near
lines 48-49 and 95-97). Locate the link markup text "[Roles and permissions]"
and "[Create permission schemes]" and swap their hrefs to the new, existing
routes used by the site (or update them to relative paths that match the current
roles-and-permissions section), ensuring all three occurrences are replaced
consistently.

In `@docs/roles-and-permissions/member-roles.md`:
- Line 10: Update the two stale links that point to removed routes by replacing
occurrences of the dead paths
"/roles-and-permissions/member-roles-and-permissions" and
"/workspaces-and-users/create-custom-roles" in the document (seen in the text
"For the conceptual background..." and the other occurrences around lines 133
and 149) with the current, canonical routes for those pages; find the correct
target URLs by searching the docs for the pages titled "Roles and permissions"
and "Create custom roles" and update the anchor hrefs so navigation no longer
fails.

In `@docs/roles-and-permissions/overview.md`:
- Around line 24-33: Add a language identifier to the fenced code block
containing the workspace hierarchy (the triple-backtick block that starts at the
diagram showing "Workspace ├── Project ...") to satisfy markdownlint MD040; for
example, change the opening fence from ``` to ```text so the block is explicitly
marked as plain text and the linter stops flagging it.
- Around line 135-136: Update the two dead links by changing the href targets
for the "Create custom roles" and "Create permission schemes" anchor texts to
the new routes under roles-and-permissions; replace the deprecated
/workspaces-and-users/create-custom-roles with the new
/roles-and-permissions/create-custom-roles and replace
/workspaces-and-users/create-permission-schemes with
/roles-and-permissions/create-permission-schemes so the links in the lines
containing "Create custom roles" and "Create permission schemes" point to the
correct pages.

In `@docs/roles-and-permissions/permission-schemes.md`:
- Line 10: This page contains dead internal links (e.g. the hrefs
"/roles-and-permissions/member-roles-and-permissions",
"/workspaces-and-users/create-custom-roles",
"/workspaces-and-users/disable-system-roles") that trigger VitePress CI
warnings; update each broken anchor to the correct relative doc path or use the
canonical permalinks used elsewhere in the site, ensuring link targets exist and
use consistent trailing slashes (or remove them) so VitePress can resolve
them—search for those exact strings in the file (and the similar occurrences
around lines 94–96) and replace them with the correct routes used by the docs
site.

In `@docs/roles-and-permissions/permissions-matrix.md`:
- Line 10: The markdown contains dead links pointing to
/roles-and-permissions/member-roles-and-permissions (e.g., the sentence "For
conceptual background, see [Roles and
permissions](/roles-and-permissions/member-roles-and-permissions)"); update
those link targets to /roles-and-permissions/overview everywhere they appear
(also replace any other occurrences of
/roles-and-permissions/member-roles-and-permissions such as the second instance
near the bottom), ensuring the link text remains correct and the new URL is used
consistently.
- Around line 21-23: Update the first paragraph so it matches the actual tables:
instead of saying "The Owner column is omitted from individual tables and
assumed ✓ throughout," change the wording to state that the Owner column is
included in the workspace tables and that Workspace Owner holds a full-access
wildcard (appearing as ✓ throughout). Also ensure the following sentence about
"Workspace Admin and Owner bypass projects" remains accurate and consistent with
the new Owner wording.
- Line 570: Update the markdown link "[Create custom
roles](/workspaces-and-users/create-custom-roles)" to point to the new
documentation route (replace the old /workspaces-and-users path with the current
docs path for custom roles), i.e. locate the link text "Create custom roles" in
permissions-matrix.md and change its target URL to the new
/roles-and-permissions/create-custom-roles (or the project's canonical new
route) so CI no longer flags the outdated path.

---

Nitpick comments:
In `@docs/roles-and-permissions/custom-roles.md`:
- Around line 89-91: The callout title "One-time inheritance" is misleading
because the text describes live linkage to the system scheme; change the callout
header token from "One-time inheritance" (the ::: info block title) to a clearer
label such as "Linked inheritance" or "Live inheritance" and update the callout
body if necessary to match the new title so the header and description are
consistent (look for the ::: info One-time inheritance block and replace the
title token and any contradictory wording).

In `@docs/roles-and-permissions/member-roles.md`:
- Around line 54-56: The two consecutive sentences both start with "Project
Admin", making the paragraph repetitive; edit the sentences that reference
"Project Admin" and "Project Admins" to vary sentence openings — e.g., keep the
first sentence describing permissions ("Project Admin has full control..."),
change the second to start with a pronoun or role-based lead ("They can also
delete or archive the project itself.") or restructure into one fluent sentence,
and ensure the following guidance sentence ("Use Project Admin for...") remains
distinct; update occurrences of "Project Admin" and "Project Admins" in this
paragraph accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 917187de-4387-46ca-9995-a442e6ab33ea

📥 Commits

Reviewing files that changed from the base of the PR and between c467a3d and 86f492f.

📒 Files selected for processing (13)

• docs/.vitepress/config.ts
• docs/core-concepts/projects/manage-project-members.md
• docs/core-concepts/workspaces/members.md
• docs/core-concepts/workspaces/overview.md
• docs/introduction/tutorials/invite-members.md
• docs/roles-and-permissions/custom-roles.md
• docs/roles-and-permissions/member-roles.md
• docs/roles-and-permissions/overview.md
• docs/roles-and-permissions/permission-schemes.md
• docs/roles-and-permissions/permissions-matrix.md
• docs/workspaces-and-users/permissions.md
• docs/workspaces-and-users/roles.md
• vercel.json

💤 Files with no reviewable changes (2)

• docs/workspaces-and-users/permissions.md
• docs/workspaces-and-users/roles.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language to the fenced code block.

Line 24 uses a fenced code block without a language, which triggers markdownlint (MD040).

Proposed fix

-```
+```text
 Workspace
   ├── Project
   │     ├── Work items, Epics, Modules, Cycles
   │     ├── Pages, Views, Intake
   │     └── Labels, States, Estimates, ...
   ├── Teamspace ──(grants access to)──► Project
   ├── Wiki, Initiatives, Releases, Dashboards
   └── Integrations, Webhooks, Analytics, ...

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 24-24: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/roles-and-permissions/overview.md` around lines 24 - 33, Add a language
identifier to the fenced code block containing the workspace hierarchy (the
triple-backtick block that starts at the diagram showing "Workspace ├── Project
...") to satisfy markdownlint MD040; for example, change the opening fence from
``` to ```text so the block is explicitly marked as plain text and the linter
stops flagging it.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix dead links to custom roles and permission schemes pages.

Line 135 and Line 136 point to deprecated paths that CI already flags as dead. Update these to the new roles-and-permissions routes.

Proposed fix

-- To create custom roles, see [Create custom roles](/workspaces-and-users/create-custom-roles).
-- To build reusable permission bundles, see [Create permission schemes](/workspaces-and-users/create-permission-schemes).
+- To create custom roles, see [Create custom roles](/roles-and-permissions/custom-roles).
+- To build reusable permission bundles, see [Create permission schemes](/roles-and-permissions/permission-schemes).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- To create custom roles, see [Create custom roles](/workspaces-and-users/create-custom-roles).
	- To build reusable permission bundles, see [Create permission schemes](/workspaces-and-users/create-permission-schemes).
	- To create custom roles, see [Create custom roles](/roles-and-permissions/custom-roles).
	- To build reusable permission bundles, see [Create permission schemes](/roles-and-permissions/permission-schemes).

🧰 Tools

🪛 LanguageTool

[style] ~135-~135: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...pts/projects/manage-project-members). - To create custom roles, see [Create custom...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~136-~136: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...paces-and-users/create-custom-roles). - To build reusable permission bundles, see ...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/roles-and-permissions/overview.md` around lines 135 - 136, Update the
two dead links by changing the href targets for the "Create custom roles" and
"Create permission schemes" anchor texts to the new routes under
roles-and-permissions; replace the deprecated
/workspaces-and-users/create-custom-roles with the new
/roles-and-permissions/create-custom-roles and replace
/workspaces-and-users/create-permission-schemes with
/roles-and-permissions/create-permission-schemes so the links in the lines
containing "Create custom roles" and "Create permission schemes" point to the
correct pages.