Skip to main content
Live. This area is documented as current, user-reliable behavior.

Goal

Know exactly what you can do in the terminal for a given project and how an owner or admin can widen or narrow that.

Prerequisites

  • Be a member, admin, or owner of the project (or its team)

Workflow

1
Your effective permissions are computed per project from your role, then adjusted by per-user grants and global denies.
2
Owners and admins (and any non-team personal project) receive every terminal permission.
3
Plain team members receive a limited default set and must be granted more for anything else.
4
An owner or admin can grant or deny individual permissions per user in the terminal policy/grants panel.

Role defaults

  • Owner / Admin (and personal, non-team projects): all terminal permissions.
  • Team member: only terminal.session_nonproduction, terminal.execute_runbooks, and database.query_read.
  • Platform administrators: all terminal permissions on any project.

Permissions and what they unlock

  • terminal.session_nonproduction / terminal.session_production: open app shells in non-production / production environments.
  • terminal.approve_production: review and approve other users’ production access requests.
  • terminal.view_history / terminal.view_recording / terminal.download_recording: read session history and view or download recordings.
  • terminal.file_read / terminal.file_write: browse/download and upload/mutate files in a session.
  • terminal.volume_write: allow writable volumes in ephemeral sessions.
  • terminal.manage_runbooks / terminal.execute_runbooks: author/publish runbooks / run published runbooks.
  • database.shell: open an interactive database shell.
  • database.query_read / database.query_write / database.export: run read / write queries and export from the database workbench.
  • terminal.manage_policy: edit the project terminal policy, manage grants, and revoke sessions.

Grants and denies

Per-user grants (allow or deny) are layered on top of role defaults for a specific project, and a global deny always wins. To give a member production access, an owner/admin grants terminal.session_production to that user in the grants panel (this requires terminal.manage_policy).

Expected result

You can predict whether an action will be allowed, and an owner/admin knows how to adjust it.

Common failures

  • terminal permission denied: you lack the required session permission for the target’s environment (commonly terminal.session_production).
  • terminal access denied: you have no terminal session permission at all for this project.

Production safeguards and approvals

How a target’s environment is classified, why production access is gated, and the reason/approval flow members must follow.

Roles and collaboration expectations

Understand owner, admin, and member style collaboration capabilities in the current team model.

Terminal workspace overview

The per-project operations workspace where you open application and database shells, run runbooks and commands, and review session history and recordings.