add access tokens to organization member permissions

n1ru4l · n1ru4l · commit e1a592a0c0f9 · 2025-03-06T10:51:29.000+08:00
diff --git a/integration-tests/tests/api/organization/members.spec.ts b/integration-tests/tests/api/organization/members.spec.ts
@@ -11,6 +11,7 @@ test.concurrent('owner of an organization should have all scopes', async ({ expe
     [
       organization:describe,
       support:manageTickets,
+      accessToken:modify,
       organization:modifySlug,
       auditLog:export,
       organization:delete,
diff --git a/packages/services/api/src/modules/organization/lib/organization-member-permissions.ts b/packages/services/api/src/modules/organization/lib/organization-member-permissions.ts
@@ -17,6 +17,13 @@ export const permissionGroups: Array<PermissionGroup> = [
         title: 'Access support tickets',
         description: 'Member can access, create and reply to support tickets.',
       },
+      {
+        id: 'accessToken:modify',
+        title: 'Manage organization access tokens',
+        description: 'Member can create and delete organization access tokens.',
+        warning:
+          'Granting a role the ability to manage members enables it to elevate its own permissions.',
+      },
       {
         id: 'organization:modifySlug',
         title: 'Update organization slug',
@@ -266,7 +273,6 @@ assertAllRulesAreAssigned([
   'appDeployment:publish',
   'appDeployment:retire',
   'usage:report',
-  'accessToken:modify',
 ]);
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ test.concurrent('owner of an organization should have all scopes', async ({ expe`
`11`	`11`	`[`
`12`	`12`	`organization:describe,`
`13`	`13`	`support:manageTickets,`
	`14`	`+ accessToken:modify,`
`14`	`15`	`organization:modifySlug,`
`15`	`16`	`auditLog:export,`
`16`	`17`	`organization:delete,`