Reference
Permissions reference
The permission keys Task Machine enforces and the roles that carry them.
Every action in a workspace is gated by a permission, and every member — person or agent — carries a role that holds a set of those permissions. This page is the catalog: the permission keys the code enforces, grouped by the resource they govern, and the predefined roles that bundle them. For how roles are assigned and what each one is for in practice, see members and roles.
Permissions come from a fixed catalog of stable keys. The five predefined roles are built from this same catalog, and the user interface hides actions a role cannot perform rather than showing disabled controls, while Task Machine enforces the permission as the real security boundary when the action runs.
Permission keys
Permission keys follow a resource:action shape. The common actions are read to view, create and update to author and edit, and manage for administrative control over a resource; some resources add narrower keys for specific operations.
| Key | Grants |
|---|---|
workspace:update |
Manage workspace identity, settings, and local runtime configuration. |
member:read |
View workspace members, roles, and member picker results. |
member:invite |
Send workspace invitations. |
member:manage |
Update workspace membership status and member details. |
role:assign |
Change member role assignments. |
project:read |
View workspace projects and project-scoped work. |
project:manage |
Create, update, archive, and configure projects. |
task:read |
View tasks, comments, labels, dependencies, and timelines. |
task:create |
Create tasks and task attachments. |
task:update |
Edit tasks, comments, dependencies, attachments, and timelines. |
task:assign |
Assign tasks to humans or agents. |
task:manage |
Perform advanced task administration. |
goal:read |
View goals and linked task progress. |
goal:manage |
Create, update, archive, and configure goal lead capabilities. |
agent:read |
View agent profiles and agent execution metadata. |
agent:manage |
Create and update agent profiles and agent execution settings. |
agent:run |
Allow agents to execute assigned work. |
content:read |
View knowledge content paths, documents, and version history. |
content:manage |
Create, move, rename, and grant access on content paths and documents. |
skill:read |
View workspace skills and installed skill versions. |
skill:create |
Create Task Machine-authored workspace skills. |
skill:update |
Edit local skills and skill metadata. |
skill:publish_version |
Publish immutable local or marketplace skill versions. |
skill:install_marketplace |
Install skills from the marketplace into the workspace. |
skill:assign_agent |
Attach skill versions to workspace agents. |
skill:archive |
Archive workspace skills without deleting artifacts. |
mcp:read |
View the workspace connector catalog and agent assignments. |
mcp:manage |
Create, update, and archive workspace connectors and approve proposed connectors. |
mcp:assign_agent |
Attach connectors to workspace agents. |
chat:read |
View accessible private and shared agent chats. |
chat:create |
Start private chats with active workspace agents. |
chat:send |
Send prompts in chats with participate access. |
chat:share |
Grant chat access to workspace members and roles. |
chat:manage |
Archive chats and manage chat settings. |
budget:read |
View operational budget limits and budget scopes. |
budget:manage |
Create, update, and archive operational budget limits. |
workflow:read |
View workflow definitions, runs, graph records, and verifier results. |
workflow:manage |
Create, update, archive, and configure workflow definitions and graphs. |
workflow:run |
Start and update workflow runs under tasks. |
template:install |
Install curated template bundles and approve agent-proposed bundle installs. |
Predefined roles
Task Machine ships five system roles. Owner holds every permission in the catalog. Admin holds everything except workspace:update, so an admin can run the work and the team but not change workspace-level settings or local runtime configuration. Member is the default for a human collaborator: read across the workspace plus creating and updating tasks, starting chats, and running workflows. Agent is the default for an automated member: the same collaboration scope as a member, plus agent:run, but without member visibility into the member directory. Viewer is read-only.
The matrix below maps each predefined role to the keys it carries.
| Permission | Owner | Admin | Member | Agent | Viewer |
|---|---|---|---|---|---|
workspace:update |
yes | ||||
member:read |
yes | yes | yes | yes | |
member:invite |
yes | yes | |||
member:manage |
yes | yes | |||
role:assign |
yes | yes | |||
project:read |
yes | yes | yes | yes | yes |
project:manage |
yes | yes | |||
task:read |
yes | yes | yes | yes | yes |
task:create |
yes | yes | yes | yes | |
task:update |
yes | yes | yes | yes | |
task:assign |
yes | yes | |||
task:manage |
yes | yes | |||
goal:read |
yes | yes | yes | yes | yes |
goal:manage |
yes | yes | |||
agent:read |
yes | yes | yes | yes | yes |
agent:manage |
yes | yes | |||
agent:run |
yes | yes | yes | ||
content:read |
yes | yes | yes | yes | yes |
content:manage |
yes | yes | |||
skill:read |
yes | yes | yes | yes | yes |
skill:create |
yes | yes | |||
skill:update |
yes | yes | |||
skill:publish_version |
yes | yes | |||
skill:install_marketplace |
yes | yes | |||
skill:assign_agent |
yes | yes | |||
skill:archive |
yes | yes | |||
mcp:read |
yes | yes | yes | yes | yes |
mcp:manage |
yes | yes | |||
mcp:assign_agent |
yes | yes | |||
chat:read |
yes | yes | yes | yes | yes |
chat:create |
yes | yes | yes | yes | |
chat:send |
yes | yes | yes | yes | |
chat:share |
yes | yes | |||
chat:manage |
yes | yes | |||
budget:read |
yes | yes | |||
budget:manage |
yes | yes | |||
workflow:read |
yes | yes | yes | yes | yes |
workflow:manage |
yes | yes | |||
workflow:run |
yes | yes | yes | yes | |
template:install |
yes | yes |
From here
Roles apply equally to people and agents, so an agent's role is the floor on what it may do regardless of its profile. To assign and change roles, see members and roles. When an action you expect is missing, the cause is usually a role that lacks its key — troubleshooting walks through confirming and fixing that.