Permissions
// Model
VentryShield does not ship predefined roles — every collaborator on an application is granted a set of fine-grained toggles. Each feature has a separate See and Manage permission, so you can give a junior collaborator read-only access without exposing destructive actions.
// Available permissions
- LIC
SeeLicenses/ManageLicenses - USR
SeeUsers/ManageUsers - LOG
SeeLogs/ManageLogs - VAR
SeeVariables/ManageVariables - SEC
SeeSecuritySettings/ManageSecuritySettings - DIS
SeeDiscoverSettings/ManageDiscoverSettings - APP
ManageApplication— rename, freeze, delete the app. - TEAM
ManageTeam— invite, kick, edit permissions. - LIB
GenerateLibrary— produce SDK bundles.
// The owner role
The owner of an application implicitly holds every permission. The owner is the only role that can transfer ownership or delete the application. There is exactly one owner per application at any time.
// Sync rule
Disabling a See permission automatically disables the matching Manage permission — you cannot manage what you cannot see. This is enforced in the permissions editor on the Team page.
// Where they are checked
Permission gates run client-side as soon as the application loads, so unauthorized pages render an AccessLoader with a message rather than fetching protected data. The backend re-enforces every permission, so the dashboard cannot be bypassed by editing local state.