Roles & Permissions

Every user in your organization has exactly one role. That role defines a set of permissions across eight categories: team management, billing, API keys, memories, settings, security, integrations, and SCIM. Permissions are evaluated on every request — both in the dashboard UI (pages are hidden if you lack permission) and in the API (requests return 403 Forbidden).

• Organization-scoped. Roles are defined per organization. A user can have different roles in different organizations.
• System vs. custom. System roles are built-in and cannot be modified or deleted. Custom roles (Enterprise only) let you create tailored permission sets for your team’s specific needs.
• No implicit inheritance. Each role has an explicit list of granted permissions. Nothing is assumed — if a permission isn’t listed, it’s denied.

MemorySync ships with five system roles. These cover the most common team structures and cannot be edited or deleted.

Permissions are organized into eight categories. Each permission is a simple boolean — either granted or not. Some permissions are marked as dangerous, meaning they can cause irreversible changes (like deleting an organization or revoking all API keys).

Enterprise plans can create custom roles with exactly the permissions their team needs. Custom roles are useful when none of the system roles fit a particular job function — for example, a “Security Reviewer” who can view audit logs and security settings but cannot modify them.

Roles can be assigned through four channels. The first match wins — if a user has a role from SCIM group mapping, that takes precedence over the SSO JIT default.

• Direct assignment. An admin assigns a role to a user in Settings → Team. This is the most explicit method and always takes precedence.
• Invite. When inviting a new user, the inviter picks a role. That role is applied when the invite is accepted.
• SSO JIT provisioning. When a user logs in via SSO for the first time and JIT is enabled, they receive the jit_default_role configured in SSO settings. Group-to-role mapping in the IdP can override this.
• SCIM provisioning. SCIM-provisioned users get the default_role from the SCIM configuration. Group mappings can override this based on IdP group membership.

Before changing a user’s role or modifying a custom role’s permissions, you can preview the impact using the role simulation feature. This lets you see exactly what would change without actually applying it.

• What changes. The simulation shows which permissions would be added, which would be removed, and which stay the same.
• Affected users. When editing a custom role, the simulation shows how many users currently have that role and would be affected by the change.
• Scope. Simulations can be run against the full team to understand the blast radius of a role change.

Simulations are available in the dashboard under Settings → Roles & Permissions → Simulate. Simulation results are saved with a timestamp and can be referenced later in audit logs.

• User has fewer permissions than expected. Check if the user’s role was overridden by SCIM or SSO group mapping. Look at the user’s profile in Settings → Team to see which role they have and how it was assigned (direct, SSO, or SCIM).
• Custom role not taking effect. Changes to a custom role’s permissions are picked up on the next login. Have the user log out and back in to refresh their permissions.
• API key returning 403 for actions the user can do in the dashboard. API key permissions are a subset of the user’s role permissions. Check the scopes granted when the API key was created.
• MFA required but user has no MFA set up. If a custom role requires MFA and the user hasn’t enrolled, they are prompted to set up MFA on their next login. Until they do, their access is limited to profile settings.
• Cannot delete a system role. System roles (Owner, Admin, Developer, Analyst, Billing Admin) are built-in and cannot be modified or deleted. Create a custom role instead.