TracecatHQ
diff --git a/‎frontend/package.json‎
Lines changed: 2 additions & 2 deletions b/‎frontend/package.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎frontend/pnpm-lock.yaml‎
Lines changed: 702 additions & 714 deletions b/‎frontend/pnpm-lock.yaml‎
Lines changed: 702 additions & 714 deletions
diff --git a/‎frontend/src/app/organization/members/page.tsx‎
Lines changed: 35 additions & 9 deletions b/‎frontend/src/app/organization/members/page.tsx‎
Lines changed: 35 additions & 9 deletions
diff --git a/‎frontend/src/app/organization/settings/rbac/page.tsx‎
Lines changed: 31 additions & 6 deletions b/‎frontend/src/app/organization/settings/rbac/page.tsx‎
Lines changed: 31 additions & 6 deletions
diff --git a/‎frontend/src/app/workspaces/[workspaceId]/members/page.tsx‎
Lines changed: 49 additions & 3 deletions b/‎frontend/src/app/workspaces/[workspaceId]/members/page.tsx‎
Lines changed: 49 additions & 3 deletions
diff --git a/‎frontend/src/client/services.gen.ts‎
Lines changed: 22 additions & 13 deletions b/‎frontend/src/client/services.gen.ts‎
Lines changed: 22 additions & 13 deletions
diff --git a/‎frontend/src/client/types.gen.ts‎
Lines changed: 12 additions & 0 deletions b/‎frontend/src/client/types.gen.ts‎
Lines changed: 12 additions & 0 deletions
@@ -107,10 +107,10 @@
     "papaparse": "^5.5.3",
     "posthog-js": "^1.268.8",
     "preact": "10.27.3",
-    "react": "^18.3.1",
+    "react": "^19.2.4",
     "react-colorful": "^5.6.1",
     "react-day-picker": "^9.11.1",
-    "react-dom": "^18.3.1",
+    "react-dom": "^19.2.4",
     "react-hook-form": "^7.63.0",
     "react-hotkeys-hook": "^5.1.0",
     "react-resizable-panels": "^1.0.10",
 
@@ -1,28 +1,54 @@
 "use client"
 
+import { ScopeGuard } from "@/components/auth/scope-guard"
 import { OrgMembersTable } from "@/components/organization/org-members-table"
+import { OrgRbacGroups } from "@/components/organization/org-rbac-groups"
+import { OrgRbacRoles } from "@/components/organization/org-rbac-roles"
+import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs"
+
+const tabTriggerClassName =
+  "rounded-none border-b-2 border-transparent px-4 py-2.5 data-[state=active]:border-primary data-[state=active]:bg-transparent data-[state=active]:shadow-none"
 
 export default function MembersPage() {
   return (
     <div className="size-full overflow-auto">
-      <div className="container flex h-full max-w-[1000px] flex-col space-y-12">
+      <div className="container flex h-full max-w-[1200px] flex-col space-y-8 py-6">
         <div className="flex w-full">
           <div className="items-start space-y-3 text-left">
             <h2 className="text-2xl font-semibold tracking-tight">
-              Organization members
+              Members and access control
             </h2>
             <p className="text-md text-muted-foreground">
-              View all organization members here.
+              Manage organization members, roles, and groups.
             </p>
           </div>
-          <div className="ml-auto flex items-center space-x-2"></div>
         </div>
-        <div className="space-y-4">
-          <>
-            <h6 className="text-sm font-semibold">Manage members</h6>
+        <Tabs defaultValue="members" className="w-full">
+          <TabsList className="inline-flex h-auto w-auto justify-start gap-0 rounded-none border-b border-border/30 bg-transparent p-0">
+            <TabsTrigger value="members" className={tabTriggerClassName}>
+              Members
+            </TabsTrigger>
+            <ScopeGuard scope="org:rbac:read" fallback={null} loading={null}>
+              <TabsTrigger value="roles" className={tabTriggerClassName}>
+                Roles
+              </TabsTrigger>
+              <TabsTrigger value="groups" className={tabTriggerClassName}>
+                Groups
+              </TabsTrigger>
+            </ScopeGuard>
+          </TabsList>
+          <TabsContent value="members" className="mt-6">
             <OrgMembersTable />
-          </>
-        </div>
+          </TabsContent>
+          <ScopeGuard scope="org:rbac:read" fallback={null} loading={null}>
+            <TabsContent value="roles" className="mt-6">
+              <OrgRbacRoles />
+            </TabsContent>
+            <TabsContent value="groups" className="mt-6">
+              <OrgRbacGroups />
+            </TabsContent>
+          </ScopeGuard>
+        </Tabs>
       </div>
     </div>
   )
 
@@ -39,12 +39,37 @@ export default function RbacSettingsPage() {
           onValueChange={(v) => setActiveTab(v as RbacTab)}
           className="w-full"
         >
-          <TabsList className="grid w-full max-w-[650px] grid-cols-5">
-            <TabsTrigger value="roles">Roles</TabsTrigger>
-            <TabsTrigger value="groups">Groups</TabsTrigger>
-            <TabsTrigger value="assignments">Group assignments</TabsTrigger>
-            <TabsTrigger value="user-assignments">User assignments</TabsTrigger>
-            <TabsTrigger value="scopes">Scopes</TabsTrigger>
+          <TabsList className="inline-flex h-auto w-auto justify-start gap-0 rounded-none border-b border-border/30 bg-transparent p-0">
+            <TabsTrigger
+              value="roles"
+              className="rounded-none border-b-2 border-transparent px-4 py-2.5 data-[state=active]:border-primary data-[state=active]:bg-transparent data-[state=active]:shadow-none"
+            >
+              Roles
+            </TabsTrigger>
+            <TabsTrigger
+              value="groups"
+              className="rounded-none border-b-2 border-transparent px-4 py-2.5 data-[state=active]:border-primary data-[state=active]:bg-transparent data-[state=active]:shadow-none"
+            >
+              Groups
+            </TabsTrigger>
+            <TabsTrigger
+              value="assignments"
+              className="rounded-none border-b-2 border-transparent px-4 py-2.5 data-[state=active]:border-primary data-[state=active]:bg-transparent data-[state=active]:shadow-none"
+            >
+              Group assignments
+            </TabsTrigger>
+            <TabsTrigger
+              value="user-assignments"
+              className="rounded-none border-b-2 border-transparent px-4 py-2.5 data-[state=active]:border-primary data-[state=active]:bg-transparent data-[state=active]:shadow-none"
+            >
+              User assignments
+            </TabsTrigger>
+            <TabsTrigger
+              value="scopes"
+              className="rounded-none border-b-2 border-transparent px-4 py-2.5 data-[state=active]:border-primary data-[state=active]:bg-transparent data-[state=active]:shadow-none"
+            >
+              Scopes
+            </TabsTrigger>
           </TabsList>
 
           <TabsContent value="roles" className="mt-6">
 
@@ -1,10 +1,17 @@
 "use client"
 
+import { ScopeGuard } from "@/components/auth/scope-guard"
 import { CenteredSpinner } from "@/components/loading/spinner"
 import { AlertNotification } from "@/components/notifications"
+import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs"
 import { WorkspaceMembersTable } from "@/components/workspaces/workspace-members-table"
+import { WorkspaceRbacGroups } from "@/components/workspaces/workspace-rbac-groups"
+import { WorkspaceRbacRoles } from "@/components/workspaces/workspace-rbac-roles"
 import { useWorkspaceDetails } from "@/hooks/use-workspace"
 
+const tabTriggerClassName =
+  "rounded-none border-b-2 border-transparent px-4 py-2.5 data-[state=active]:border-primary data-[state=active]:bg-transparent data-[state=active]:shadow-none"
+
 export default function WorkspaceMembersPage() {
   const { workspace, workspaceLoading, workspaceError } = useWorkspaceDetails()
   if (workspaceLoading) {
@@ -23,10 +30,49 @@ export default function WorkspaceMembersPage() {
   }
   return (
     <div className="size-full overflow-auto">
-      <div className="container flex h-full max-w-[1000px] flex-col space-y-8 py-8">
-        <div className="space-y-4">
-          <WorkspaceMembersTable workspace={workspace} />
+      <div className="container flex h-full max-w-[1200px] flex-col space-y-8 py-6">
+        <div className="flex w-full">
+          <div className="items-start space-y-3 text-left">
+            <h2 className="text-2xl font-semibold tracking-tight">Members</h2>
+            <p className="text-md text-muted-foreground">
+              Manage workspace members, roles, and groups.
+            </p>
+          </div>
         </div>
+        <Tabs defaultValue="members" className="w-full">
+          <TabsList className="inline-flex h-auto w-auto justify-start gap-0 rounded-none border-b border-border/30 bg-transparent p-0">
+            <TabsTrigger value="members" className={tabTriggerClassName}>
+              Members
+            </TabsTrigger>
+            <ScopeGuard
+              scope="workspace:rbac:read"
+              fallback={null}
+              loading={null}
+            >
+              <TabsTrigger value="roles" className={tabTriggerClassName}>
+                Roles
+              </TabsTrigger>
+              <TabsTrigger value="groups" className={tabTriggerClassName}>
+                Groups
+              </TabsTrigger>
+            </ScopeGuard>
+          </TabsList>
+          <TabsContent value="members" className="mt-6">
+            <WorkspaceMembersTable workspace={workspace} />
+          </TabsContent>
+          <ScopeGuard
+            scope="workspace:rbac:read"
+            fallback={null}
+            loading={null}
+          >
+            <TabsContent value="roles" className="mt-6">
+              <WorkspaceRbacRoles workspaceId={workspace.id} />
+            </TabsContent>
+            <TabsContent value="groups" className="mt-6">
+              <WorkspaceRbacGroups workspaceId={workspace.id} />
+            </TabsContent>
+          </ScopeGuard>
+        </Tabs>
       </div>
     </div>
   )
 
@@ -539,6 +539,7 @@ import type {
   TriggersUpdateCaseTriggerResponse,
   TriggersUpdateWebhookData,
   TriggersUpdateWebhookResponse,
+  UsersGetMyScopesData,
   UsersGetMyScopesResponse,
   UsersSearchUserData,
   UsersSearchUserResponse,
@@ -841,13 +842,14 @@ export const publicReceiveInteraction = (
 
 /**
  * List Workspaces
- * List workspaces.
+ * List workspaces the user has access to.
  *
- * Access Level
- * ------------
- * - Basic: Can list workspaces where they are a member.
- * - Admin: Can list all workspaces regardless of membership.
- * - Org Owner/Admin: Can list all workspaces in the organization.
+ * Access
+ * ------
+ * - Org owners/admins (have `org:read` scope): See all workspaces in the org.
+ * - Other users: See only workspaces where they are a member.
+ *
+ * No scope requirement - membership itself is the authorization.
  * @returns WorkspaceReadMinimal Successful Response
  * @throws ApiError
  */
@@ -8454,13 +8456,20 @@ export const vcsGetGithubAppCredentialsStatus =
  * @returns UserScopesRead Successful Response
  * @throws ApiError
  */
-export const usersGetMyScopes =
-  (): CancelablePromise<UsersGetMyScopesResponse> => {
-    return __request(OpenAPI, {
-      method: "GET",
-      url: "/users/me/scopes",
-    })
-  }
+export const usersGetMyScopes = (
+  data: UsersGetMyScopesData = {}
+): CancelablePromise<UsersGetMyScopesResponse> => {
+  return __request(OpenAPI, {
+    method: "GET",
+    url: "/users/me/scopes",
+    query: {
+      workspace_id: data.workspaceId,
+    },
+    errors: {
+      422: "Validation Error",
+    },
+  })
+}
 
 /**
  * List Scopes
 
@@ -8928,6 +8928,13 @@ export type VcsDeleteGithubAppCredentialsResponse = void
 export type VcsGetGithubAppCredentialsStatusResponse =
   GitHubAppCredentialsStatus
 
+export type UsersGetMyScopesData = {
+  /**
+   * Workspace to get scopes for
+   */
+  workspaceId?: string | null
+}
+
 export type UsersGetMyScopesResponse = UserScopesRead
 
 export type RbacListScopesData = {
@@ -13326,11 +13333,16 @@ export type $OpenApiTs = {
   }
   "/users/me/scopes": {
     get: {
+      req: UsersGetMyScopesData
       res: {
         /**
          * Successful Response
          */
         200: UserScopesRead
+        /**
+         * Validation Error
+         */
+        422: HTTPValidationError
       }
     }
   }