improvement(access-control): migrate to workspace scope

Author: icecrasher321

apps/sim/app/api/guardrails/validate/route.ts

@@ -109,6 +109,32 @@ export async function POST(request: NextRequest) {
       })
     }
 
+    if (validationType === 'hallucination' && model && workspaceId) {
+      const { assertPermissionsAllowed, ProviderNotAllowedError } = await import(
+        '@/ee/access-control/utils/permission-check'
+      )
+      try {
+        await assertPermissionsAllowed({
+          userId: auth.userId,
+          workspaceId,
+          model,
+        })
+      } catch (err) {
+        if (err instanceof ProviderNotAllowedError) {
+          return NextResponse.json({
+            success: true,
+            output: {
+              passed: false,
+              validationType,
+              input: input || '',
+              error: err.message,
+            },
+          })
+        }
+        throw err
+      }
+    }
+
     const inputStr = convertInputToString(input)
 
     logger.info(`[${requestId}] Executing validation locally`, {

apps/sim/app/api/mothership/execute/route.ts

@@ -81,7 +81,7 @@ export async function POST(req: NextRequest) {
     })
     const [workspaceContext, integrationTools, userPermission] = await Promise.all([
       generateWorkspaceContext(workspaceId, userId),
-      buildIntegrationToolSchemas(userId, messageId),
+      buildIntegrationToolSchemas(userId, messageId, undefined, workspaceId),
       getUserEntityPermissions(userId, 'workspace', workspaceId).catch(() => null),
     ])
 

apps/sim/app/api/organizations/[id]/invitations/route.ts

@@ -209,6 +209,8 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
           )
         }
 
+        await validateInvitationsAllowed(session.user.id, wsInvitation.workspaceId)
+
         validGrants.push({
           workspaceId: wsInvitation.workspaceId,
           permission: wsInvitation.permission,

apps/sim/app/api/permission-groups/user/route.ts

@@ -1,37 +1,34 @@
 import { db } from '@sim/db'
-import { member, permissionGroup, permissionGroupMember } from '@sim/db/schema'
-import { and, eq } from 'drizzle-orm'
+import { permissionGroup, permissionGroupMember } from '@sim/db/schema'
+import { and, asc, eq } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
-import { isOrganizationOnEnterprisePlan } from '@/lib/billing'
+import { isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import { parsePermissionGroupConfig } from '@/lib/permission-groups/types'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 export async function GET(req: Request) {
   const session = await getSession()
-
   if (!session?.user?.id) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
   }
 
   const { searchParams } = new URL(req.url)
-  const organizationId = searchParams.get('organizationId')
+  const workspaceId = searchParams.get('workspaceId')
 
-  if (!organizationId) {
-    return NextResponse.json({ error: 'organizationId is required' }, { status: 400 })
+  if (!workspaceId) {
+    return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
   }
 
-  const [membership] = await db
-    .select({ id: member.id })
-    .from(member)
-    .where(and(eq(member.userId, session.user.id), eq(member.organizationId, organizationId)))
-    .limit(1)
-
-  if (!membership) {
-    return NextResponse.json({ error: 'Not a member of this organization' }, { status: 403 })
+  const access = await checkWorkspaceAccess(workspaceId, session.user.id)
+  if (!access.exists) {
+    return NextResponse.json({ error: 'Workspace not found' }, { status: 404 })
+  }
+  if (!access.hasAccess) {
+    return NextResponse.json({ error: 'Not a member of this workspace' }, { status: 403 })
   }
 
-  // Short-circuit: if org is not on enterprise plan, ignore permission configs
-  const isEnterprise = await isOrganizationOnEnterprisePlan(organizationId)
+  const isEnterprise = await isWorkspaceOnEnterprisePlan(workspaceId)
   if (!isEnterprise) {
     return NextResponse.json({
       permissionGroupId: null,
@@ -51,9 +48,10 @@ export async function GET(req: Request) {
     .where(
       and(
         eq(permissionGroupMember.userId, session.user.id),
-        eq(permissionGroup.organizationId, organizationId)
+        eq(permissionGroup.workspaceId, workspaceId)
       )
     )
+    .orderBy(asc(permissionGroup.createdAt), asc(permissionGroup.id))
     .limit(1)
 
   if (!groupMembership) {

apps/sim/app/api/providers/route.ts

@@ -102,6 +102,21 @@ export async function POST(request: NextRequest) {
       if (!workspaceAccess.hasAccess) {
         return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
       }
+
+      const { assertPermissionsAllowed, IntegrationNotAllowedError, ProviderNotAllowedError } =
+        await import('@/ee/access-control/utils/permission-check')
+      try {
+        await assertPermissionsAllowed({
+          userId: auth.userId,
+          workspaceId,
+          model,
+        })
+      } catch (err) {
+        if (err instanceof ProviderNotAllowedError || err instanceof IntegrationNotAllowedError) {
+          return NextResponse.json({ error: err.message }, { status: 403 })
+        }
+        throw err
+      }
     }
 
     let finalApiKey: string | undefined = apiKey

apps/sim/app/api/v1/admin/access-control/route.ts

@@ -5,24 +5,28 @@
  *   List all permission groups with optional filtering.
  *
  *   Query Parameters:
- *     - organizationId?: string - Filter by organization ID
+ *     - workspaceId?: string - Filter by workspace ID
+ *     - organizationId?: string - Filter by organization ID (joins via workspace)
  *
  *   Response: { data: AdminPermissionGroup[], pagination: PaginationMeta }
  *
  * DELETE /api/v1/admin/access-control
- *   Delete permission groups for an organization.
+ *   Delete permission groups scoped to a workspace or organization (via workspace join).
  *   Used when an enterprise plan churns to clean up access control data.
  *
  *   Query Parameters:
- *     - organizationId: string - Delete all permission groups for this organization
+ *     - workspaceId?: string - Delete all permission groups for this workspace
+ *     - organizationId?: string - Delete all permission groups for every workspace in this org
+ *     - reason?: string - Reason recorded in audit log (default: "Enterprise plan churn cleanup")
  *
  *   Response: { success: true, deletedCount: number, membersRemoved: number }
  */
 
 import { db } from '@sim/db'
-import { organization, permissionGroup, permissionGroupMember, user } from '@sim/db/schema'
+import { permissionGroup, permissionGroupMember, user, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { count, eq, inArray, sql } from 'drizzle-orm'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { withAdminAuth } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -34,8 +38,9 @@ const logger = createLogger('AdminAccessControlAPI')
 
 export interface AdminPermissionGroup {
   id: string
-  organizationId: string
-  organizationName: string | null
+  workspaceId: string
+  workspaceName: string | null
+  organizationId: string | null
   name: string
   description: string | null
   memberCount: number
@@ -46,27 +51,31 @@ export interface AdminPermissionGroup {
 
 export const GET = withAdminAuth(async (request) => {
   const url = new URL(request.url)
+  const workspaceId = url.searchParams.get('workspaceId')
   const organizationId = url.searchParams.get('organizationId')
 
   try {
     const baseQuery = db
       .select({
         id: permissionGroup.id,
-        organizationId: permissionGroup.organizationId,
-        organizationName: organization.name,
+        workspaceId: permissionGroup.workspaceId,
+        workspaceName: workspace.name,
+        workspaceOrganizationId: workspace.organizationId,
         name: permissionGroup.name,
         description: permissionGroup.description,
         createdAt: permissionGroup.createdAt,
         createdByUserId: permissionGroup.createdBy,
         createdByEmail: user.email,
       })
       .from(permissionGroup)
-      .leftJoin(organization, eq(permissionGroup.organizationId, organization.id))
+      .leftJoin(workspace, eq(permissionGroup.workspaceId, workspace.id))
       .leftJoin(user, eq(permissionGroup.createdBy, user.id))
 
     let groups
-    if (organizationId) {
-      groups = await baseQuery.where(eq(permissionGroup.organizationId, organizationId))
+    if (workspaceId) {
+      groups = await baseQuery.where(eq(permissionGroup.workspaceId, workspaceId))
+    } else if (organizationId) {
+      groups = await baseQuery.where(eq(workspace.organizationId, organizationId))
     } else {
       groups = await baseQuery
     }
@@ -80,8 +89,9 @@ export const GET = withAdminAuth(async (request) => {
 
         return {
           id: group.id,
-          organizationId: group.organizationId,
-          organizationName: group.organizationName,
+          workspaceId: group.workspaceId,
+          workspaceName: group.workspaceName,
+          organizationId: group.workspaceOrganizationId,
           name: group.name,
           description: group.description,
           memberCount: memberCount?.count ?? 0,
@@ -93,6 +103,7 @@ export const GET = withAdminAuth(async (request) => {
     )
 
     logger.info('Admin API: Listed permission groups', {
+      workspaceId,
       organizationId,
       count: groupsWithCounts.length,
     })
@@ -107,33 +118,47 @@ export const GET = withAdminAuth(async (request) => {
       },
     })
   } catch (error) {
-    logger.error('Admin API: Failed to list permission groups', { error, organizationId })
+    logger.error('Admin API: Failed to list permission groups', {
+      error,
+      workspaceId,
+      organizationId,
+    })
     return internalErrorResponse('Failed to list permission groups')
   }
 })
 
 export const DELETE = withAdminAuth(async (request) => {
   const url = new URL(request.url)
+  const workspaceId = url.searchParams.get('workspaceId')
   const organizationId = url.searchParams.get('organizationId')
   const reason = url.searchParams.get('reason') || 'Enterprise plan churn cleanup'
 
-  if (!organizationId) {
-    return badRequestResponse('organizationId is required')
+  if (!workspaceId && !organizationId) {
+    return badRequestResponse('workspaceId or organizationId is required')
   }
 
   try {
-    const existingGroups = await db
-      .select({ id: permissionGroup.id })
+    const selectBase = db
+      .select({
+        id: permissionGroup.id,
+        workspaceId: permissionGroup.workspaceId,
+        name: permissionGroup.name,
+      })
       .from(permissionGroup)
-      .where(eq(permissionGroup.organizationId, organizationId))
+
+    const existingGroups = workspaceId
+      ? await selectBase.where(eq(permissionGroup.workspaceId, workspaceId))
+      : await selectBase
+          .innerJoin(workspace, eq(workspace.id, permissionGroup.workspaceId))
+          .where(eq(workspace.organizationId, organizationId!))
 
     if (existingGroups.length === 0) {
-      logger.info('Admin API: No permission groups to delete', { organizationId })
+      logger.info('Admin API: No permission groups to delete', { workspaceId, organizationId })
       return singleResponse({
         success: true,
         deletedCount: 0,
         membersRemoved: 0,
-        message: 'No permission groups found for the given organization',
+        message: 'No permission groups found for the given scope',
       })
     }
 
@@ -146,10 +171,24 @@ export const DELETE = withAdminAuth(async (request) => {
 
     const membersToRemove = Number(memberCountResult?.count ?? 0)
 
-    // Members are deleted via cascade when permission groups are deleted
-    await db.delete(permissionGroup).where(eq(permissionGroup.organizationId, organizationId))
+    await db.delete(permissionGroup).where(inArray(permissionGroup.id, groupIds))
+
+    for (const group of existingGroups) {
+      recordAudit({
+        workspaceId: group.workspaceId,
+        actorId: 'admin-api',
+        action: AuditAction.PERMISSION_GROUP_DELETED,
+        resourceType: AuditResourceType.PERMISSION_GROUP,
+        resourceId: group.id,
+        resourceName: group.name,
+        description: `Admin API deleted permission group "${group.name}"`,
+        metadata: { reason, workspaceId: group.workspaceId, organizationId },
+        request,
+      })
+    }
 
     logger.info('Admin API: Deleted permission groups', {
+      workspaceId,
       organizationId,
       deletedCount: existingGroups.length,
       membersRemoved: membersToRemove,
@@ -163,7 +202,11 @@ export const DELETE = withAdminAuth(async (request) => {
       reason,
     })
   } catch (error) {
-    logger.error('Admin API: Failed to delete permission groups', { error, organizationId })
+    logger.error('Admin API: Failed to delete permission groups', {
+      error,
+      workspaceId,
+      organizationId,
+    })
     return internalErrorResponse('Failed to delete permission groups')
   }
 })

apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts

@@ -36,6 +36,7 @@ import { createLogger } from '@sim/logger'
 import { generateId } from '@sim/utils/id'
 import { and, count, eq } from 'drizzle-orm'
 import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
+import { applyWorkspaceAutoAddGroup } from '@/lib/permission-groups/auto-add'
 import { getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
@@ -221,6 +222,8 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       updatedAt: now,
     })
 
+    await applyWorkspaceAutoAddGroup(db, workspaceId, body.userId)
+
     logger.info(`Admin API: Added user ${body.userId} to workspace ${workspaceId}`, {
       permissions: body.permissions,
       permissionId,

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -150,7 +150,7 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
         '@/ee/access-control/utils/permission-check'
       )
       try {
-        await validatePublicApiAllowed(session?.user?.id)
+        await validatePublicApiAllowed(session?.user?.id, workflowData?.workspaceId ?? undefined)
       } catch (err) {
         if (err instanceof PublicApiNotAllowedError) {
           return createErrorResponse('Public API access is disabled', 403)

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -316,6 +316,7 @@ async function handleExecutePost(
           isPublicApi: workflowTable.isPublicApi,
           isDeployed: workflowTable.isDeployed,
           userId: workflowTable.userId,
+          workspaceId: workflowTable.workspaceId,
         })
         .from(workflowTable)
         .where(eq(workflowTable.id, workflowId))
@@ -330,10 +331,14 @@ async function handleExecutePost(
         return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
       }
 
-      const { getUserPermissionConfig } = await import('@/ee/access-control/utils/permission-check')
-      const ownerConfig = await getUserPermissionConfig(wf.userId)
-      if (ownerConfig?.disablePublicApi) {
-        return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      if (wf.workspaceId) {
+        const { getUserPermissionConfig } = await import(
+          '@/ee/access-control/utils/permission-check'
+        )
+        const ownerConfig = await getUserPermissionConfig(wf.userId, wf.workspaceId)
+        if (ownerConfig?.disablePublicApi) {
+          return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+        }
       }
 
       userId = wf.userId