Resource access
Understand access modes, visibility, and actions for Reqflo resources.
Resource Access
Resources in Reqflo have visibility, access mode, risk level, and action permissions.
Access mode controls how Reqflo decides who can view, use, run, edit, or administer a resource.
Access modes
Open
Everyone in the organization can view and use the resource unless a restricted dependency is required.
Open is recommended for:
- Normal request templates.
- Normal journeys.
- Normal reusable components.
- Internal documentation-style resources.
Open does not mean unsafe. A normal journey can be open while production credentials or destructive execution remain restricted.
Service-controlled
Access follows the related service's ownership and service-team roles.
Service-controlled is recommended for:
- Service-specific journeys.
- Service-owned components.
- Service-managed configurations.
- Resources that should be maintained by a specific owning team.
Restricted
Only selected users, groups, service teams, or roles can perform the protected action.
Restricted is recommended for:
- Production credentials.
- Sensitive auth configs.
- Destructive workflows.
- Mutating production runs.
- Restricted support runbooks.
- OAuth scope management.
- Secret-backed components.
Visibility
Visibility controls discovery.
Org-visible
Organization members can discover the resource and see its safe metadata.
Restricted visibility
Only selected principals can see the resource.
Use restricted visibility when the existence or metadata of the resource is itself sensitive.
Actions
Reqflo evaluates permissions by action.
| Action | Meaning |
|---|---|
| view | See the resource or its metadata |
| create | Create a new resource |
| update | Modify the resource |
| delete | Remove the resource |
| run | Execute a runnable resource |
| use | Use the resource as a dependency |
| attach | Attach a resource to another resource |
| manage_access | Change who can access the resource |
| manage_scopes | Change OAuth scopes or equivalent privileges |
| manage_secrets | Create, rotate, or manage secret-backed values |
| manage_billing | Manage plan, billing, invoices, usage, or payment details |
| manage_users | Invite users, change user roles, or manage membership |
| manage_sso | Configure single sign-on |
| manage_scim | Configure SCIM provisioning and group sync |
| manage_integrations | Configure external integrations |
View is not use
A user may be able to view a resource but not use it.
Examples:
- View a restricted OAuth component but not attach it.
- View a production environment but not run workflows against it.
- View a journey but not execute it because it depends on a restricted credential.
Recommended defaults
| Resource type | Recommended access mode |
|---|---|
| Normal journey | Open or service-controlled |
| Normal request template | Open or service-controlled |
| Service-owned component | Service-controlled |
| Production auth config | Restricted |
| Secret-backed component | Restricted |
| Destructive workflow | Restricted |
| Integration connection | Restricted |
| Billing setting | Restricted |