Overview
Teams allow multiple users to share encrypted data (KV store entries, Git repos) with fine-grained role-based access control. Teams can span multiple FOKS servers, and teams can be nested — a team can itself be a member of another team.Roles
| Role | Permissions |
|---|---|
owner | Full control, can add/remove admins and owners, delete the team |
admin | Can invite users, change roles of members and below |
member(n) | Read and write access to team data at the member level |
reader | Read-only access to team data at the reader level |
member role carries a signed integer sub-level n in the range -16384 to 16384, defaulting to 0 (written as plain member). Sub-levels are linearizable: member(-1) is lower privilege than member(0), which is lower than member(1). This is useful for granting bots or automated processes a distinct privilege tier within the member band — for example, a deploy bot might be member(-1) to ensure it can only access data explicitly shared at that level or below.
Commands
create
invite
admin role or above.
accept
admit
member.
add
admin role or above.
On closed-view hosts, use
invite + admit instead.change-roles
user@host/newrole. To remove a user, set the role to none.
list
list-memberships
index-range
Federated Teams
Teams can include members from different FOKS servers. When inviting a user from another server, use their fully-qualified name:Nested Teams
A team can be added as a member of another team. This allows hierarchical permission structures. For example, aninfrastructure team could be a member of a platform team with read access to platform secrets.