Self Checks
1. Is this request related to a challenge you're experiencing? Tell me about your story.
Today a workspace member is either an editor (owner/admin/editor — full edit, run, and history access) or a normal member (can only
use published apps, with no access to the Studio at all). There is no role in between.
In our team, stakeholders such as reviewers, QA, and cross-team engineers frequently need to inspect how a workflow / chatflow is
built — open the canvas, read node configuration and variables — but they should not be able to modify the draft, trigger test
runs, restore versions, or browse run history.
With the current roles we are forced to choose between two bad options:
- Grant editor, which over-privileges them and risks accidental edits or runs against a shared draft; or
- Grant normal, which hides the Studio entirely, so they cannot see the workflow design at all.
I was trying to give a reviewer "look but don't touch" access to a workflow app, and there was simply no way to express that. It
was frustrating because read-only inspection is a very common need and currently has no safe answer.
Proposed solution — a new read-only viewer role:
- May open workflow-style apps (workflow / advanced-chat) in the editor in read-only mode (canvas + node config + variables).
- May not edit the draft, run/preview the workflow, view run history, or restore versions — the corresponding entries are hidden
and their backend endpoints reject the role.
- For non-workflow apps, behaves like a normal member (lands on the overview page).
- Assignable through the existing member invite / change-role flow, like any other role.
2. Additional context or comments
- Backend: a new TenantAccountRole.VIEWER, a view_permission_required decorator (allows owner/admin/editor/viewer) applied to the
workflow & draft-variable GET endpoints, while all write/run endpoints stay guarded by edit_permission_required.
- Frontend: an isCurrentWorkspaceViewer context flag and an isViewerReadOnly store flag that forces the canvas read-only and hides
the run / preview / history / version-restore controls; viewer-aware redirection and navigation; a viewer option in member
management.
- i18n: members.viewer / members.viewerTip added across all supported locales.
- This is scoped to workflow-style apps only; it intentionally does not expose the prompt configuration or logs pages to viewers.
3. Can you help us with this feature?
Self Checks
1. Is this request related to a challenge you're experiencing? Tell me about your story.
Today a workspace member is either an editor (owner/admin/editor — full edit, run, and history access) or a normal member (can only
use published apps, with no access to the Studio at all). There is no role in between.
In our team, stakeholders such as reviewers, QA, and cross-team engineers frequently need to inspect how a workflow / chatflow is
built — open the canvas, read node configuration and variables — but they should not be able to modify the draft, trigger test
runs, restore versions, or browse run history.
With the current roles we are forced to choose between two bad options:
I was trying to give a reviewer "look but don't touch" access to a workflow app, and there was simply no way to express that. It
was frustrating because read-only inspection is a very common need and currently has no safe answer.
Proposed solution — a new read-only viewer role:
and their backend endpoints reject the role.
2. Additional context or comments
workflow & draft-variable GET endpoints, while all write/run endpoints stay guarded by edit_permission_required.
the run / preview / history / version-restore controls; viewer-aware redirection and navigation; a viewer option in member
management.
3. Can you help us with this feature?