Scopes
DaoFlow uses 26 colon-delimited scopes to control access to every operation.
Scope Format
Scopes follow the pattern resource:action:
server:read— read server datadeploy:start— start a deploymentbackup:restore— restore from backup
Complete Scope Reference
Infrastructure
| Scope | Description |
|---|---|
server:read | List servers, view readiness, resources, tunnels, log drains, operation history, and operation logs |
server:write | Register, update, remove, cleanup, patch-plan servers, manage tunnels, or manage log drains |
Deployment
| Scope | Description |
|---|---|
deploy:read | View deployment history, steps, and status |
deploy:start | Queue a new deployment |
deploy:cancel | Cancel an in-progress deployment |
deploy:rollback | Roll back to a previous deployment |
service:read | List services, view service config |
service:update | Update service configuration |
Data and Secrets
| Scope | Description |
|---|---|
env:read | List environment variable keys (values masked) |
env:write | Create, update, or delete environment variables |
secrets:read | Read unmasked secret values (highly restricted) |
secrets:write | Create or rotate secrets |
volumes:read | List persistent volumes and mount status |
volumes:write | Register or remove volumes |
backup:read | View backup policies and run history |
backup:run | Trigger a backup |
backup:restore | Restore from a backup artifact |
Observability
| Scope | Description |
|---|---|
logs:read | Stream and search deployment and container logs |
events:read | View structured event timeline |
diagnostics:read | View agent-generated failure analysis |
Administration
| Scope | Description |
|---|---|
members:manage | Invite, remove, and change roles |
tokens:manage | Create and revoke API tokens |
approvals:create | Request approval for a gated action |
approvals:decide | Approve or reject pending approval requests |
terminal:open | Open an interactive terminal session (exceptional) |
policy:override | Override policy-enforced guardrails |
terminal:open stays intentionally separate from deployment, server, and log access. A user or
token that can deploy, inspect services, read logs, or run server cleanup is still denied
interactive service and host shell access unless terminal:open is explicitly granted. CLI
terminal access follows the same rule and only opens interactive sessions, not one-shot command
execution.
Scope Enforcement
Scopes are checked at two levels:
- Role capabilities — what the principal's role allows
- Token scopes — what the API token explicitly grants
The effective permissions are the intersection of role capabilities and token scopes. A token can never exceed the capabilities of its principal's role.