Skip to main content

Team-Based Authorization in faynoSync — Manage Your Team Like a Pro

· 8 min read
Serhii Kuianov
Serhii Kuianov
DevOps

Managing a team of developers? Need to control who can do what in your faynoSync instance? Starting from version 1.4.0, faynoSync introduces a powerful Team Based Authorization Matrix that gives you complete control over your team's access and permissions.

This is role-based access control (RBAC) built for an update server: one administrator owns an isolated set of team users, each team user gets granular permissions per resource type, and no administrator can ever see another's data. This post walks through the model end to end, with copy-paste API calls verified against the Team Based Authorization docs.

What is Team-Based Authorization? 🤔

Think of it as your team's digital headquarters! The Team Based Authorization Matrix is a sophisticated system that lets you:

  • 👨‍💼 Create and manage team users
  • 🔐 Assign specific permissions
  • 🏢 Keep data isolated between different teams
  • 📊 Track who can do what

Every team user belongs to exactly one administrator, and everything a team user creates is automatically owned by that administrator. There is no shared global namespace — isolation is the default, not an add-on.

Meet the Players 🎭

The Administrator 👑

  • You're the boss! Each admin is unique
  • You own your team of users
  • You can create, update, and delete your team members
  • You have full control over passwords and permissions
  • You can only access your own team's resources

The Team User 👤

  • A unique member of your team
  • Belongs only to you (their admin)
  • Can't manage other users — the entire user-management API is off-limits to them
  • Can only work with resources you've allowed
  • Everything they create belongs to you

When a team user with the Create permission creates a resource, that resource is automatically added to their list of allowed resources — so they can immediately work with what they just made, and nothing else.

What Can Your Team Do? 🛠️

Each team member can have different permissions for different types of resources:

Resource Types:

  • 📱 Applications (apps)
  • 📊 Channels (channels)
  • 💻 Platforms (platforms)
  • 🏗️ Architectures (archs)

Available Permissions:

  • ➕ Create
  • ✏️ Edit
  • 🗑️ Delete
  • ⬆️ Upload (apps only)
  • ⬇️ Download (apps only)

Permissions reference

upload and download apply only to apps; channels, platforms, and architectures expose just create/edit/delete. Each resource block also carries an allowed array — the list of specific resource IDs the user may act on.

Resourcecreateeditdeleteuploaddownloadallowed
apps
channels
platforms
archs

Smart Resource Management 🧠

  • 🔒 Team users can only see and use resources they've been given access to
  • 🏢 Each admin's resources are completely separate
  • 👀 You (as admin) can see everything your team creates
  • 📝 Different teams can have resources with the same names

That last point matters in practice: two different administrators can both own an app called myapp, a stable channel, or a linux platform without any collision — names are unique only within an administrator's scope, never globally.

The owner query parameter

Because resource names are no longer globally unique, the public read endpoints need to know whose myapp you mean. Two endpoints now require an owner query parameter — the administrator's account name:

  • GET /checkVersion
  • GET /apps/latest
curl 'http://localhost:9000/checkVersion?app_name=myapp&version=1.0.0&channel=stable&platform=darwin&arch=arm64&owner=admin'

If you build update-check URLs in your client or CI, make sure owner is part of them — otherwise the server can't resolve the right scope. See Fetch Latest Version of App for how these links are constructed.

How to Manage Your Team? 🎯

Option 1: Using the API

Creating a Team User

POST /user/create takes a username, a password, and a full permissions object. Here's a complete, valid request — teamuser1 can create and edit apps and download their artifacts, but can't delete or upload:

curl -X POST 'http://localhost:9000/user/create' \
  -H 'Authorization: Bearer <jwt_token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "teamuser1",
    "password": "password123",
    "permissions": {
      "apps":      { "create": true, "edit": true, "delete": false, "upload": false, "download": true, "allowed": [""] },
      "channels":  { "create": true, "edit": true, "delete": false, "allowed": [""] },
      "platforms": { "create": true, "edit": true, "delete": false, "allowed": [""] },
      "archs":     { "create": true, "edit": true, "delete": false, "allowed": [""] }
    }
  }'
{ "message": "Team user created successfully" }

The allowed array holds the resource IDs the user can act on. Leaving it empty means "no pre-granted resources" — but with create: true, anything the user creates is added to allowed automatically.

Updating Permissions

POST /user/update replaces the user's credentials and permission set. Here we revoke create on apps but grant delete and upload, and widen the allowed list:

curl -X POST 'http://localhost:9000/user/update' \
  -H 'Authorization: Bearer <jwt_token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "teamuser1",
    "password": "password1234",
    "permissions": {
      "apps":      { "create": false, "edit": true, "delete": true, "upload": true, "download": true, "allowed": ["<app_id_1>", "<app_id_2>"] },
      "channels":  { "create": true, "edit": true, "delete": true, "allowed": [""] },
      "platforms": { "create": true, "edit": true, "delete": false, "allowed": [""] },
      "archs":     { "create": true, "edit": true, "delete": false, "allowed": [""] }
    }
  }'
{ "message": "Team user updated successfully" }

Permission and password changes take effect immediately. Full reference: Create User and Update User.

Option 2: Using the Web Dashboard 🖥️

Prefer a more visual approach? The faynoSync dashboard makes team management a breeze!

For Administrators:

  1. Click the Settings button in the dashboard
  2. A modal window will open where you can:
    • 👥 Create new team users
    • 🔑 Set passwords (or auto-generate them)
    • ✅ Assign permissions with simple checkboxes
    • ✏️ Update usernames and passwords
    • 🗑️ Remove team users

For Team Users:

  1. Go to your Profile section
  2. View your current permissions at a glance:
    • 📱 Which applications you can access
    • 📊 What actions you can perform
    • 🔒 What resources are available to you

This visual interface makes it much easier to:

  • 🎯 Understand your permissions
  • 🔄 Manage team access
  • 📊 Track resource availability
  • ⚡ Make quick changes

Expected behavior at a glance

ActionTeam UserAdministrator
Create resources✅ (within admin scope)
Edit resources✅ (only own admin's)
Delete resources✅ (only own admin's)
Manage users
Access user API
Access other admins' data

How team permissions reach the rest of faynoSync

The same apps.download permission and the team user's allowed apps gate more than artifact downloads. The report ingestion read APIGET /reports/groups — is also gated by CheckPermission(download, apps), so a team user only sees rollout-health reports for apps in their allowed_apps. The same scoping idea applies across telemetry views: team users can read stats but only filter resources they have access to. One permission model, enforced everywhere.

Common questions

A team user can't see an app they should have access to. Check the allowed array for apps — visibility is opt-in. Either add the app's ID to allowed via /user/update, or have the user create the resource themselves (which auto-adds it).

Two teams need an app with the same name. That's fully supported — names are unique per administrator, not globally. Just remember to pass owner on /checkVersion and /apps/latest.

A team user got a 403 on user management. Expected. The entire user API is admin-only; team users cannot create, edit, or delete users, including themselves.

How to try faynoSync?

  1. Follow the Getting Started guide:
    👉 https://faynosync.com/docs/getting-started

  2. Create your app using the REST API or web dashboard:
    📦 API Docs: https://faynosync.com/docs/api
    🖥️ Dashboard UI: https://github.com/ku9nov/faynoSync-dashboard

  3. Upload at least two versions of your application.

  4. Check for updates with this simple request:
    📡 /info/latest

If you find this project helpful, please consider subscribing, leaving a comment, or giving it a star, create Issue or feature request on GitHub.
Your support keeps the project alive and growing 💚