Roles & Permissions

NuxtBase ships with two different permission layers:

• organization roles
• named platform roles

Do not merge them mentally. They solve different problems.

Organization Roles

The shipped organization model includes:

• owner
• admin
• member

These are defined in the Better Auth organization access configuration in:

server/utils/auth.ts

The current customization in that file adds explicit project statements for:

• owner
• admin

member keeps the default organization statements and does not get those extra project mutation permissions.

Platform Role

The template also uses a named platform-level role:

• platform_admin

This role is stored in the user role string and handled through:

shared/utils/roles.ts

That helper normalizes comma-separated named roles and powers checks such as:

• admin route access
• admin shortcut visibility
• bootstrap grant behavior

Practical Boundary

Use this mental model:

• organization roles control what a user can do inside one organization
• platform_admin controls platform-wide admin access

An organization owner is not automatically a platform admin.

Before You Change Permissions

If you plan to customize permissions, check all three layers together:

1. Better Auth access-control config in server/utils/auth.ts
2. server guards such as organization-manager or platform-admin checks
3. UI branches that hide or show actions based on the current role

If you only update one layer, the app becomes inconsistent fast.

Caution

Permission changes are rarely local edits. A new role or altered statement can affect API access, UI visibility, invitations, admin tooling, and outbound webhook events.