Summary
Add general user permission settings so Exceptionless can grant users more granular access than today’s broad user/admin roles, and use that model as the long-term foundation for app, API, MCP, and OAuth authorization.
Why
The MCP/OAuth work introduces granular scopes such as projects:read, stacks:read, stacks:write, and events:read. The normal app/API still mostly uses broader roles like user, client, and global. Users have asked for more security controls for their users, and we should avoid building parallel permission systems for MCP/OAuth and the main app.
Proposed scope
- Define a durable organization/user permission model.
- Store permissions per user per organization or membership, rather than only on OAuth clients.
- Add management UI in the new Svelte system/settings area.
- Make normal app/API authorization respect those permissions while preserving existing behavior by default.
- Ensure OAuth scopes cannot grant more access than the signed-in user actually has.
- Align MCP tools, OAuth API access, and app/API authorization around the same permission concepts over time.
Suggested first pass
- Keep default behavior backwards compatible: existing users retain their current access unless permissions are explicitly restricted.
- Start with coarse but useful permissions that map to current MCP/OAuth scopes:
- projects read
- stacks read
- stacks write
- events read
- administrative/system settings access, if needed separately
- Add server-side enforcement before relying on UI-only restrictions.
- Avoid replacing all existing controller policies in one PR; migrate high-value surfaces first.
Acceptance criteria
- Organization administrators can view and edit user permissions in the new UI.
- Permissions are persisted and included in authorization decisions.
- Existing unrestricted users continue to behave as they do today.
- Restricted users cannot access disallowed API/app functionality by direct API calls.
- OAuth/MCP authorization is bounded by both requested scopes and the signed-in user’s permissions.
- Tests cover default compatibility, restricted access, allowed access, and OAuth scope + user permission intersection.
Summary
Add general user permission settings so Exceptionless can grant users more granular access than today’s broad user/admin roles, and use that model as the long-term foundation for app, API, MCP, and OAuth authorization.
Why
The MCP/OAuth work introduces granular scopes such as
projects:read,stacks:read,stacks:write, andevents:read. The normal app/API still mostly uses broader roles likeuser,client, andglobal. Users have asked for more security controls for their users, and we should avoid building parallel permission systems for MCP/OAuth and the main app.Proposed scope
Suggested first pass
Acceptance criteria