From 6a1631f24fca3acbc2ed829579ed4344bcb5fdfb Mon Sep 17 00:00:00 2001
From: Malachi Willey <malwilley@gmail.com>
Date: Wed, 8 Oct 2025 11:25:10 -0700
Subject: [PATCH 1/2] fix(aci): Allow users with alerts:write to create/edit
 workflows

---
 .../endpoints/organization_workflow_index.py         | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/sentry/workflow_engine/endpoints/organization_workflow_index.py b/src/sentry/workflow_engine/endpoints/organization_workflow_index.py
index 5253e3941ac617..be52eb4e59e901 100644
--- a/src/sentry/workflow_engine/endpoints/organization_workflow_index.py
+++ b/src/sentry/workflow_engine/endpoints/organization_workflow_index.py
@@ -15,6 +15,7 @@
 from sentry.api.api_publish_status import ApiPublishStatus
 from sentry.api.base import region_silo_endpoint
 from sentry.api.bases import OrganizationEndpoint
+from sentry.api.bases.organization import OrganizationPermission
 from sentry.api.event_search import SearchConfig, SearchFilter, SearchKey, default_config
 from sentry.api.event_search import parse_search_query as base_parse_search_query
 from sentry.api.exceptions import ResourceDoesNotExist
@@ -69,7 +70,18 @@
 parse_workflow_query = partial(base_parse_search_query, config=workflow_search_config)
 
 
+class OrganizationWorkflowPermission(OrganizationPermission):
+    scope_map = {
+        "GET": ["org:read", "org:write", "org:admin", "alerts:read"],
+        "POST": ["org:write", "org:admin", "alerts:write"],
+        "PUT": ["org:write", "org:admin", "alerts:write"],
+        "DELETE": ["org:write", "org:admin", "alerts:write"],
+    }
+
+
 class OrganizationWorkflowEndpoint(OrganizationEndpoint):
+    permission_classes = (OrganizationWorkflowPermission,)
+
     def convert_args(self, request: Request, workflow_id, *args, **kwargs):
         args, kwargs = super().convert_args(request, *args, **kwargs)
         try:

From c5c8510e4848d975e70d08294ed1e8cc2d62fdc1 Mon Sep 17 00:00:00 2001
From: Malachi Willey <malwilley@gmail.com>
Date: Wed, 8 Oct 2025 11:42:11 -0700
Subject: [PATCH 2/2] Also apply to the index endpoint class

---
 .../workflow_engine/endpoints/organization_workflow_index.py     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/sentry/workflow_engine/endpoints/organization_workflow_index.py b/src/sentry/workflow_engine/endpoints/organization_workflow_index.py
index be52eb4e59e901..abb6c05a01d692 100644
--- a/src/sentry/workflow_engine/endpoints/organization_workflow_index.py
+++ b/src/sentry/workflow_engine/endpoints/organization_workflow_index.py
@@ -103,6 +103,7 @@ class OrganizationWorkflowIndexEndpoint(OrganizationEndpoint):
         "DELETE": ApiPublishStatus.EXPERIMENTAL,
     }
     owner = ApiOwner.ISSUES
+    permission_classes = (OrganizationWorkflowPermission,)
 
     def filter_workflows(self, request: Request, organization: Organization) -> QuerySet[Workflow]:
         """