Reqflo Docs
Permissions

Admin guide

Configure Reqflo access using open, service-controlled, and restricted patterns.

Admin Guide

Use this guide to configure Reqflo access in a way that keeps normal resources discoverable while protecting risky actions.

When to use Open

Use Open for normal resources that should be discoverable and reusable across the organization.

Good fits:

  • Normal request templates.
  • Normal staging journeys.
  • Internal workflow examples.
  • Reusable components without restricted credentials.
  • Documentation-style resources.

Open works best when the resource has no sensitive execution risk.

When to use Service-controlled

Use Service-controlled when a resource belongs to a specific service and should follow service ownership.

Good fits:

  • Service-owned journeys.
  • Service-owned request templates.
  • Service-managed components.
  • Service-specific mocks.
  • Service-scoped configurations.

Service-controlled resources use service-team roles for ownership, maintenance, running, and viewing.

When to use Restricted

Use Restricted when a resource can access credentials, production systems, sensitive data, destructive actions, privileged scopes, or external system configuration.

Good fits:

  • Production credentials.
  • Production environments.
  • Secret-backed components.
  • OAuth scope management.
  • Destructive workflows.
  • Mutating production runs.
  • Restricted support runbooks.
  • Billing, SSO, SCIM, and integration administration.

When to use groups

Use groups for department, function, team, support tier, QA team, security team, or identity-provider-managed access.

Examples:

  • Support Tier 2
  • QA Platform
  • Security Admins
  • Release Managers
  • Payments Support Leads

Groups are easier to review than individual exceptions.

When to use service teams

Use service teams for service ownership and service-scoped maintenance.

Examples:

  • Checkout service team.
  • Payments service team.
  • Identity and KYC service team.
  • Platform service team.

Service teams should answer: "Who owns this service?"

When to use individual users

Use individual user grants for:

  • Temporary exceptions.
  • Small teams without stable groups.
  • Break-glass cases.
  • Short-lived migration or setup work.

Review individual grants regularly and remove them when the exception is no longer needed.

  • Prefer groups over individual user grants.
  • Keep normal resources open.
  • Restrict execution risk rather than discovery.
  • Use service teams for ownership.
  • Use groups for cross-functional access.
  • Keep secrets and OAuth scopes tightly controlled.
  • Review production and destructive access regularly.
  • Use clear group names that match real operational responsibilities.
  • Make access explanations visible to users when actions are blocked.

Suggested setup path

  1. Start with org roles for core administrators.
  2. Connect SCIM if identity-provider managed access is needed.
  3. Map identity-provider groups to Reqflo groups.
  4. Create service teams for owned services.
  5. Assign groups to service teams.
  6. Keep normal resources open or service-controlled.
  7. Mark credentials, production targets, destructive workflows, and privileged configs as restricted.
  8. Test denial messages for common blocked actions.

How access is evaluated

Follow the decision flow Reqflo uses to allow or deny access.

Permission examples

Practical examples for configuring common Reqflo access patterns.

On this page

Admin GuideWhen to use OpenWhen to use Service-controlledWhen to use RestrictedWhen to use groupsWhen to use service teamsWhen to use individual usersRecommended practicesSuggested setup path