Skip to content

fix(credentials): workspace admin users get 'member' role on credential_member instead of 'admin' #4698

Open
Open
fix(credentials): workspace admin users get 'member' role on credential_member instead of 'admin'#4698
@minijeong-log

Description

@minijeong-log
minijeong-log
opened on May 21, 2026

Bug Description

When a workspace-scoped secret is created (via Settings > Secrets or syncWorkspaceEnvCredentials), the credential_member role is determined solely by whether the user is the workspace owner:

const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'

This means workspace admin users are assigned member role on credential_member, making them unable to edit or delete the secret — even though they have admin access to the workspace.

Affected Code

  1. apps/sim/lib/credentials/environment.tsensureWorkspaceCredentialMemberships: only checks ownerUserId, ignores workspace permissions table
  2. apps/sim/app/api/credentials/route.ts — POST handler: same issue, only workspaceRow.ownerId || session.user.id gets admin

Expected Behavior

Credential member role should reflect workspace permissions:

Workspace Permission Credential Role
owner (workspace.ownerId) admin
admin (permissions table) admin
write member
read member

Steps to Reproduce

  1. Create a workspace with multiple members (owner + admin + write/read users)
  2. As the owner, go to Settings > Secrets and create a workspace-scoped secret
  3. Check credential_member table — only the owner has admin role
  4. Log in as a workspace admin user — cannot edit or delete the secret

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions