Help/๐Ÿ‘ฅ Workspaces & Accounts/Ops Permissions for Review and Publish

Manage invites, switch contexts, and keep permissions tidy across roles.

Ops Permissions for Review and Publish

Understand who can access Ops review and publish endpoints and why responses may be 403, 404, or empty lists.

Ops Permissions for Review and Publish

Ops review/publish endpoints use a strict internal-role and workspace-scope policy.

Internal role requirement

Users must be internal Ops (is_developer or is_support) for Ops endpoints.

If not internal:

  • API returns 403 OPS_REQUIRED.
  • UI shows a deterministic blocked state ("Ops role required").

Manual approval permission in review UI

For scoped label-pack approval in Ops prelabel review:

  • Internal Ops users can approve by default.
  • If can_approve_label_packs is explicitly set to false, approve actions are disabled in the UI with a deterministic reason.
  • Approval still requires backend authorization; failed approval attempts return deterministic error code/message feedback.

Resource endpoints (detail, draft, publish, history)

For support users:

  • If the target workspace is not accessible, API returns 404 NOT_FOUND (anti-enumeration).

For developer users:

  • Cross-workspace access is allowed.

Workspace-filtered list endpoints

For support users:

  • Responses include only accessible workspace rows.
  • If a requested workspace is inaccessible, API returns 200 with an empty list.

For developer users:

  • Cross-workspace list access is allowed.

Why 404 instead of 403 on some support paths?

404 NOT_FOUND is used on resource-scoped unauthorized access to avoid leaking whether a resource exists in another workspace.

Didnโ€™t find what you need? Email support@soccer-insights.com or mention us in Slack if your club has a shared channel.