Per-Environment Member Access
Quave ONE allows account admins to control which environments each member can see and interact with. This is useful for teams with many apps and environments where you want to limit what each member can access — for example, preventing a developer on one project from accidentally modifying environments belonging to another.
Enabling the Feature
- Go to your account Members page
- Under Access Control, toggle Enable per-environment member access
- The feature is now active for this account
Enabling this feature does not immediately restrict anyone. All existing members retain full access to every environment until an admin explicitly configures their access.
Disabling the feature does not erase saved restrictions. If you toggle it off, all members regain full access immediately. If you toggle it back on, the previous restrictions are restored automatically.
How It Works
- Full Access (default): Members can see and interact with all environments in the account. This is the default for all existing and newly invited members.
- Restricted Access: When an admin assigns specific environments to a member, that member can only see and interact with those environments. Apps that have no accessible environments are hidden entirely.
New Environments
When a member with restricted access creates a new environment, it is automatically added to their access list. Other restricted members will not see the new environment until an admin assigns it to them. Members with full access always see everything.
Managing Environment Access
- Go to your account Members page — each member row shows an Envs link with a hint like
(All)or(3)indicating their current access level - Click the Envs link next to a member's name
- In the modal:
- Toggle Full Access to grant unrestricted access to all environments
- Or uncheck Full Access and select individual environments grouped by app
- Click Save
Changes take effect immediately across the UI, API, CLI, and MCP tools.
Admins always see all environments in the access modal, even if their own access is restricted. This ensures admins can grant access to any environment when managing other members.
Access Enforcement
When this feature is enabled, environment-level access is enforced across all surfaces:
| Surface | Behavior |
|---|---|
| Dashboard | Only accessible apps and environments are shown |
| Direct URL | Navigating to a restricted environment's URL shows a "not found" page — no data is leaked |
| REST API | GET /apps and GET /app-envs return only accessible items; per-environment operations return 403 for restricted environments |
| MCP Tools | Filtered automatically since MCP tools use the REST API |
| CLI | Same filtering and permission checks as the REST API |
All environment-specific operations — deploys, config changes, scaling, logs, metrics, etc. — are gated by this access check.
Managing Access via API
You can also read and update member environment access programmatically:
- Read access:
GET /api/public/v1/member/env-access?accountId=...&membershipId=... - Update access:
PATCH /api/public/v1/member/env-accesswith body{ accountId, membershipId, allowedAppEnvIds }
Both endpoints require the Manage Members permission. Pass an empty array (or omit allowedAppEnvIds) to grant full access.
Roles Required
- Admin or members with Manage Members permission can enable the feature and configure access for other members
- The access configuration uses the same Members page where roles are managed
For a broader overview of roles and what each one grants, see User Roles.