Teams group platform users who share the same access requirements. You assign roles to teams rather than individual users, and all team members inherit those permissions.
When a platform user makes a request, Reeflow resolves their permissions through their team memberships:
Identify teams: Find all teams the user belongs to.
Check admin status: If the user belongs to the admin team, grant full admin permissions. Skip remaining steps.
Collect roles: Gather all roles assigned to all of the user’s teams.
Resolve permissions: Follow the standard role resolution process: filter assumable roles, merge permissions, and resolve user attributes.
Because permissions merge using union semantics, a user with multiple team memberships accumulates access from all teams. Adding a user to more teams never reduces their access.
Engineering team: Has a role granting retrieve and update on connections
Analytics team: Has a role granting query on connections with table-level restrictions
The user’s effective permissions include both: they can view and modify connection settings (from Engineering) and run queries against allowed tables (from Analytics).
Every organization has a single admin team called Admin, created automatically when you create the organization. Members of the admin team have full permissions to all resources: Reeflow skips role resolution entirely and grants access to every action on every resource.
Use the admin team for:
Organization administrators who need unrestricted access
Initial setup before you configure granular roles
The admin team is system-managed. You can add or remove members (but at least one member must remain), and you cannot delete the team, change its name, or remove its admin status.
Team members inherit permissions from the roles assigned to their teams. When a user belongs to multiple teams, their effective permissions are the union of all inherited permissions. The permission merging rules apply: if any team grants an action, the user can perform it.
When roles assigned to teams have fixed user attributes, those values apply to all team members during role resolution. This lets you set organization-wide defaults through team role assignments.