> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stackshift.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Access and permissions

> How terminal permissions are derived from team role, project ownership, per-user grants, and platform admin, and what each permission unlocks.

<Tip>
  **Live.** This area is documented as current, user-reliable behavior.
</Tip>

## Goal

Know exactly what you can do in the terminal for a given project and how an owner or admin can widen or narrow that.

## Prerequisites

* Be a member, admin, or owner of the project (or its team)

## Workflow

<Steps>
  <Step>
    Your effective permissions are computed per project from your role, then adjusted by per-user grants and global denies.
  </Step>

  <Step>
    Owners and admins (and any non-team personal project) receive every terminal permission.
  </Step>

  <Step>
    Plain team members receive a limited default set and must be granted more for anything else.
  </Step>

  <Step>
    An owner or admin can grant or deny individual permissions per user in the terminal policy/grants panel.
  </Step>
</Steps>

## Role defaults

* Owner / Admin (and personal, non-team projects): all terminal permissions.
* Team member: only terminal.session\_nonproduction, terminal.execute\_runbooks, and database.query\_read.
* Platform administrators: all terminal permissions on any project.

## Permissions and what they unlock

* terminal.session\_nonproduction / terminal.session\_production: open app shells in non-production / production environments.
* terminal.approve\_production: review and approve other users’ production access requests.
* terminal.view\_history / terminal.view\_recording / terminal.download\_recording: read session history and view or download recordings.
* terminal.file\_read / terminal.file\_write: browse/download and upload/mutate files in a session.
* terminal.volume\_write: allow writable volumes in ephemeral sessions.
* terminal.manage\_runbooks / terminal.execute\_runbooks: author/publish runbooks / run published runbooks.
* database.shell: open an interactive database shell.
* database.query\_read / database.query\_write / database.export: run read / write queries and export from the database workbench.
* terminal.manage\_policy: edit the project terminal policy, manage grants, and revoke sessions.

## Grants and denies

Per-user grants (allow or deny) are layered on top of role defaults for a specific project, and a global deny always wins. To give a member production access, an owner/admin grants terminal.session\_production to that user in the grants panel (this requires terminal.manage\_policy).

## Expected result

<Check>
  You can predict whether an action will be allowed, and an owner/admin knows how to adjust it.
</Check>

## Common failures

<Warning>
  * terminal permission denied: you lack the required session permission for the target’s environment (commonly terminal.session\_production).
  * terminal access denied: you have no terminal session permission at all for this project.
</Warning>

## Related guides

<CardGroup cols={2}>
  <Card title="Production safeguards and approvals" href="/terminal/production-safeguards">
    How a target’s environment is classified, why production access is gated, and the reason/approval flow members must follow.
  </Card>

  <Card title="Roles and collaboration expectations" href="/team-and-access/roles-and-collaboration">
    Understand owner, admin, and member style collaboration capabilities in the current team model.
  </Card>

  <Card title="Terminal workspace overview" href="/terminal/overview">
    The per-project operations workspace where you open application and database shells, run runbooks and commands, and review session history and recordings.
  </Card>
</CardGroup>