improvement(access-controls): ui/ux improvements (#5190)

* improvement(access-controls): ui/ux improvements

* remove unused col

Author: icecrasher321

apps/docs/content/docs/en/platform/enterprise/access-control.mdx

@@ -145,7 +145,7 @@ A workspace-scoped group applies to **all members of its workspaces by default**
 
 A user is governed by one group per workspace, so adding a user is rejected when it would conflict with another of their groups on a shared workspace (skipped rather than added in bulk). The default group ignores members entirely — it always governs everyone not covered by a workspace group.
 
-Manage which workspaces a group governs from the **Workspaces** list in the group's **Details** view (Add and Remove). A non-default group must always target at least one workspace.
+Manage which workspaces a group governs from the **Workspaces** list in the group's **Details** view (Add and Remove). A non-default group is created targeting at least one workspace, but you can later remove all of them — a group with no workspaces simply governs nothing until you add one back.
 
 External workspace members (people who have access to a workspace but belong to a different organization) can't be added as named members, but a workspace-scoped group with no members — and the organization default group — still governs them.
 

apps/sim/app/api/organizations/[id]/permission-groups/[groupId]/members/route.ts

@@ -281,7 +281,7 @@ export const DELETE = withRouteHandler(
           throw new Error('MEMBER_NOT_FOUND')
         }
 
-        if (!lockedGroup.isDefault && !lockedGroup.appliesToAllWorkspaces) {
+        if (!lockedGroup.isDefault) {
           const [memberCountRow] = await tx
             .select({ value: count() })
             .from(permissionGroupMember)

apps/sim/app/api/organizations/[id]/permission-groups/[groupId]/route.ts

@@ -48,7 +48,7 @@ export const GET = withRouteHandler(
       return NextResponse.json({ error: 'Permission group not found' }, { status: 404 })
     }
 
-    const workspaces = group.appliesToAllWorkspaces ? [] : await getGroupWorkspaces(id)
+    const workspaces = group.isDefault ? [] : await getGroupWorkspaces(id)
 
     return NextResponse.json({
       permissionGroup: {
@@ -117,44 +117,30 @@ export const PUT = withRouteHandler(
 
       // Demoting the org default with no new scope: it becomes a non-default
       // group with no workspaces (inert) until an admin re-scopes it. The client
-      // sends only `isDefault: false`, so this never forwards a workspace list
-      // (which a non-default group otherwise requires) against the per-group cap.
+      // sends only `isDefault: false`, so this never forwards a workspace list.
       const demotingDefaultToInert =
-        group.isDefault &&
-        updates.isDefault === false &&
-        updates.appliesToAllWorkspaces === undefined &&
-        updates.workspaceIds === undefined
-
-      // Resolve the target workspace scope. Setting the group as default forces
-      // all-workspaces; otherwise an explicit `appliesToAllWorkspaces` wins, and
-      // supplying `workspaceIds` alone implies a specific scope.
-      const scopeProvided =
-        demotingDefaultToInert ||
-        updates.appliesToAllWorkspaces !== undefined ||
-        updates.workspaceIds !== undefined ||
-        updates.isDefault === true
-
-      const resolvedAppliesToAll = demotingDefaultToInert
-        ? false
-        : updates.isDefault === true
-          ? true
-          : updates.appliesToAllWorkspaces !== undefined
-            ? updates.appliesToAllWorkspaces
-            : updates.workspaceIds !== undefined
-              ? false
-              : group.appliesToAllWorkspaces
+        group.isDefault && updates.isDefault === false && updates.workspaceIds === undefined
 
+      // "Org-wide" is definitionally `isDefault` (the default group), so the
+      // effective scope follows it: a default group targets no specific
+      // workspaces; a non-default group targets its `workspaceIds`.
       const effectiveIsDefault =
         updates.isDefault !== undefined ? updates.isDefault : group.isDefault
-      if (effectiveIsDefault && !resolvedAppliesToAll) {
-        return NextResponse.json(
-          { error: 'The default group must apply to all workspaces' },
-          { status: 400 }
-        )
-      }
-      if (!effectiveIsDefault && resolvedAppliesToAll) {
+
+      // Scope is rewritten when the group is promoted to default, demoted to
+      // inert, or handed an explicit workspace list.
+      const scopeProvided =
+        demotingDefaultToInert || updates.workspaceIds !== undefined || updates.isDefault === true
+
+      // The default group governs every workspace, so it can't also name specific
+      // ones. The contract rejects `isDefault: true` + workspaceIds, but a direct
+      // API caller can still send workspaceIds against a group that is already the
+      // default — reject rather than silently dropping them.
+      if (effectiveIsDefault && updates.workspaceIds !== undefined) {
         return NextResponse.json(
-          { error: 'Non-default groups must target specific workspaces' },
+          {
+            error: 'The default group governs all workspaces and cannot target specific workspaces',
+          },
           { status: 400 }
         )
       }
@@ -164,14 +150,11 @@ export const PUT = withRouteHandler(
       // ("keep current"), they're read under the lock instead (see below) so the
       // conflict check and the write share one consistent snapshot.
       let providedWorkspaceIds: string[] | null = null
-      if (!resolvedAppliesToAll && updates.workspaceIds !== undefined) {
+      if (!effectiveIsDefault && updates.workspaceIds !== undefined) {
+        // Zero workspaces is allowed on update: the group then governs nothing
+        // (the resolver inner-joins on the link table, so an empty group never
+        // matches any workspace). No "at least one" floor here.
         providedWorkspaceIds = Array.from(new Set(updates.workspaceIds))
-        if (providedWorkspaceIds.length === 0) {
-          return NextResponse.json(
-            { error: 'Select at least one workspace when the group targets specific workspaces' },
-            { status: 400 }
-          )
-        }
         const invalid = await findWorkspacesNotInOrganization(providedWorkspaceIds, organizationId)
         if (invalid.length > 0) {
           return NextResponse.json(
@@ -197,12 +180,12 @@ export const PUT = withRouteHandler(
         if (scopeProvided) {
           await acquirePermissionGroupOrgLock(tx, organizationId)
 
-          if (!resolvedAppliesToAll) {
+          if (!effectiveIsDefault) {
+            // May resolve to an empty list — a non-default group is allowed to
+            // target zero workspaces (governs nothing). The write below deletes
+            // the old links and inserts none.
             resolvedWorkspaceIds =
               providedWorkspaceIds ?? (await getGroupWorkspaces(id, tx)).map((ws) => ws.id)
-            if (resolvedWorkspaceIds.length === 0 && !demotingDefaultToInert) {
-              throw new Error('NO_WORKSPACES')
-            }
           }
 
           const members = await tx
@@ -225,7 +208,7 @@ export const PUT = withRouteHandler(
 
           // With no explicit members the group governs all members of its
           // workspaces; reject when another all-members group already does.
-          if (!resolvedAppliesToAll && members.length === 0) {
+          if (!effectiveIsDefault && members.length === 0) {
             const conflict = await findAllMembersWorkspaceConflict(
               { organizationId, excludeGroupId: id, workspaceIds: resolvedWorkspaceIds },
               tx
@@ -238,12 +221,12 @@ export const PUT = withRouteHandler(
         }
 
         if (updates.isDefault === true) {
-          // Demote the prior default to a non-default group. It must also drop
-          // the all-workspaces scope (only the default may be org-wide); it ends
-          // up with no workspaces (inert) until an admin re-scopes it.
+          // Demote the prior default to a non-default group (only the default may
+          // be org-wide); it ends up with no workspaces (inert) until an admin
+          // re-scopes it.
           await tx
             .update(permissionGroup)
-            .set({ isDefault: false, appliesToAllWorkspaces: false, updatedAt: now })
+            .set({ isDefault: false, updatedAt: now })
             .where(
               and(
                 eq(permissionGroup.organizationId, organizationId),
@@ -258,7 +241,6 @@ export const PUT = withRouteHandler(
             ...(updates.name !== undefined && { name: updates.name }),
             ...(updates.description !== undefined && { description: updates.description }),
             ...(updates.isDefault !== undefined && { isDefault: updates.isDefault }),
-            ...(scopeProvided && { appliesToAllWorkspaces: resolvedAppliesToAll }),
             config: newConfig,
             updatedAt: now,
           })
@@ -268,7 +250,7 @@ export const PUT = withRouteHandler(
           await tx
             .delete(permissionGroupWorkspace)
             .where(eq(permissionGroupWorkspace.permissionGroupId, id))
-          if (!resolvedAppliesToAll && resolvedWorkspaceIds.length > 0) {
+          if (!effectiveIsDefault && resolvedWorkspaceIds.length > 0) {
             await tx.insert(permissionGroupWorkspace).values(
               resolvedWorkspaceIds.map((workspaceId) => ({
                 id: generateId(),
@@ -288,7 +270,7 @@ export const PUT = withRouteHandler(
         .where(eq(permissionGroup.id, id))
         .limit(1)
 
-      const finalWorkspaceIds = updated.appliesToAllWorkspaces
+      const finalWorkspaceIds = updated.isDefault
         ? []
         : (await getGroupWorkspaces(id)).map((ws) => ws.id)
 
@@ -334,12 +316,6 @@ export const PUT = withRouteHandler(
           { status: 409 }
         )
       }
-      if (error instanceof Error && error.message === 'NO_WORKSPACES') {
-        return NextResponse.json(
-          { error: 'Select at least one workspace when the group targets specific workspaces' },
-          { status: 400 }
-        )
-      }
       if (getPostgresErrorCode(error) === '23505') {
         const constraint = getPostgresConstraintName(error)
         if (constraint === PERMISSION_GROUP_CONSTRAINTS.organizationName) {

apps/sim/app/api/organizations/[id]/permission-groups/route.ts

@@ -55,7 +55,6 @@ export const GET = withRouteHandler(
         createdAt: permissionGroup.createdAt,
         updatedAt: permissionGroup.updatedAt,
         isDefault: permissionGroup.isDefault,
-        appliesToAllWorkspaces: permissionGroup.appliesToAllWorkspaces,
         creatorName: user.name,
         creatorEmail: user.email,
       })
@@ -114,21 +113,20 @@ export const POST = withRouteHandler(
       const { name, description, config, isDefault } = parsed.data.body
 
       // Only the organization default group is org-wide; every other group
-      // targets specific workspaces (the contract rejects all-workspaces scope
-      // for non-default groups).
-      const appliesToAllWorkspaces = isDefault === true
-      const workspaceIds = appliesToAllWorkspaces
+      // targets specific workspaces. "Org-wide" is definitionally `isDefault`.
+      const isDefaultGroup = isDefault === true
+      const workspaceIds = isDefaultGroup
         ? []
         : Array.from(new Set(parsed.data.body.workspaceIds ?? []))
 
-      if (!appliesToAllWorkspaces && workspaceIds.length === 0) {
+      if (!isDefaultGroup && workspaceIds.length === 0) {
         return NextResponse.json(
           { error: 'Select at least one workspace when the group targets specific workspaces' },
           { status: 400 }
         )
       }
 
-      if (!appliesToAllWorkspaces) {
+      if (!isDefaultGroup) {
         const invalid = await findWorkspacesNotInOrganization(workspaceIds, organizationId)
         if (invalid.length > 0) {
           return NextResponse.json(
@@ -169,15 +167,14 @@ export const POST = withRouteHandler(
         createdAt: now,
         updatedAt: now,
         isDefault: isDefault || false,
-        appliesToAllWorkspaces,
       }
 
       await db.transaction(async (tx) => {
         await acquirePermissionGroupOrgLock(tx, organizationId)
 
         // A new non-default group has no members, so it governs all members of
         // its workspaces; reject when another all-members group already does.
-        if (!appliesToAllWorkspaces) {
+        if (!isDefaultGroup) {
           const conflict = await findAllMembersWorkspaceConflict(
             { organizationId, excludeGroupId: newGroup.id, workspaceIds },
             tx
@@ -189,12 +186,12 @@ export const POST = withRouteHandler(
         }
 
         if (isDefault) {
-          // Demote the prior default to a non-default group. It must also drop
-          // the all-workspaces scope (only the default may be org-wide); it ends
-          // up with no workspaces (inert) until an admin re-scopes it.
+          // Demote the prior default to a non-default group (only the default may
+          // be org-wide); it ends up with no workspaces (inert) until an admin
+          // re-scopes it.
           await tx
             .update(permissionGroup)
-            .set({ isDefault: false, appliesToAllWorkspaces: false, updatedAt: now })
+            .set({ isDefault: false, updatedAt: now })
             .where(
               and(
                 eq(permissionGroup.organizationId, organizationId),
@@ -220,7 +217,6 @@ export const POST = withRouteHandler(
         permissionGroupId: newGroup.id,
         organizationId,
         userId: session.user.id,
-        appliesToAllWorkspaces,
         workspaceCount: workspaceIds.length,
       })
 
@@ -236,7 +232,6 @@ export const POST = withRouteHandler(
         metadata: {
           organizationId,
           isDefault: isDefault || false,
-          appliesToAllWorkspaces,
           workspaceCount: workspaceIds.length,
         },
         request: req,

apps/sim/app/api/organizations/[id]/permission-groups/utils.ts

@@ -88,7 +88,6 @@ export async function loadGroupInOrganization(
       createdAt: permissionGroup.createdAt,
       updatedAt: permissionGroup.updatedAt,
       isDefault: permissionGroup.isDefault,
-      appliesToAllWorkspaces: permissionGroup.appliesToAllWorkspaces,
     })
     .from(permissionGroup)
     .where(and(eq(permissionGroup.id, groupId), eq(permissionGroup.organizationId, organizationId)))