The Security Model defines how identities authenticate to Synqly and how access to resources is authorized. It applies consistently across the Management API, Connector APIs and MCP servers.
The model combines permission sets, resource restrictions, roles, and scoped tokens to enforce least-privilege access while supporting auditing, delegation, and enterprise governance requirements.
If you haven't read Understanding the Synqly Model yet, start there — it covers organizations, accounts, and members, which the Security Model acts on.
This section explains the RBAC model that the token types are built on. It provides the context needed when designing roles, troubleshooting unexpected access denials, or understanding why a token has a particular level of access.
Synqly's authorization model is built on three building blocks:
Permission sets
What can you do?
A named bundle of API actions. Fixed catalogue — you pick, not compose.
Resources
On which objects?
Restrict by account ID, label, environment, or integration category.
Roles
Reusable pairing
Named combination of permission set + resource restrictions. Bind to members.
A permission set is a named, predefined bundle of API actions. You pick from a fixed catalogue — you don't assemble one from scratch.
administrator
Full administrative access
viewer
Read-only access across all resources
account-manager
Create and manage accounts, integrations, credentials
member
Minimum access — log in, view own profile, basic status
connect-ui
Power a Connect UI widget — create/delete integrations and credentials only
token-issuer
Issue integration tokens, nothing else
mcp-integrations-use-only
Read accounts/integrations + call Connector APIs
mcp-management
Create/update integrations, no Connector API access
Don't guess — query the Permission Sets API. It returns the precise list of API actions each set grants.
A permission set says what you can do — but to what? Without a resource restriction, administrator means administrator over everything in your organization. Resources let you apply restrictions across three dimensions:
- Organizations (
resources.organizations) — restrict by organization ID or label - Accounts (
resources.accounts) — restrict by account ID, label, or environment - Integrations (
resources.integrations) — restrict by connector category
resources:
accounts:
ids: ["account-123", "account-456"]A role is a permission set + resource restriction, given a name so you can reuse it across tokens and members.
- Synqlyhttps://api.synqly.com/v1/roles
curl -i -X POST \
https://api.synqly.com/v1/roles \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"name": "production-account-manager",
"resources": {
"accounts": {
"environments": [
"prod"
],
"labels": [
"customer-success-team"
]
}
},
"permission_set": "account-manager"
}'See the Roles API reference for full create/list operations.
A role does nothing until it's bound to a member — a human user or a service account. A member's effective access is the union of all their role bindings.
- Synqlyhttps://api.synqly.com/v1/members
curl -i -X POST \
https://api.synqly.com/v1/members \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"name": "user@example.com",
"secret": "password123",
"role_binding": [
"production-account-manager"
]
}'If any one of a member's roles permits an action, that action is permitted. Roles only ever add capability — they cannot be used to carve exceptions from each other.
See the Members API reference.
Synqly uses role-based access control (RBAC) to support least-privilege access, resource isolation, and auditability. Instead of granting broad access through shared credentials, RBAC allows permissions to be assigned according to a caller's responsibilities and constrained to specific resources.
| Shared credentials | Role-based access control |
|---|---|
| One credential is used by multiple callers | Each caller receives only the permissions required for its role |
| A credential compromise can expose all accessible resources | Access is limited to the permissions and resource restriction assigned to that role |
| Actions cannot be reliably attributed to an individual caller | Actions are attributed to a specific member, service account, or token |
| Access boundaries depend on how callers use the credential | Access boundaries are enforced by the platform |
A resource restriction is not a convention or expectation about how a caller should behave. It is a platform-enforced boundary that is evaluated on every request.