Core Concepts
Access Control
CodeCargo provides role-based access control at the organization and project levels, with team management for grouping users and personal access tokens (PATs) for API authentication.
Organization Access
Manage your organization's users and teams from Organization Settings → Access. The access page has two tabs: People and Teams.
People
The People tab lists all users in your CodeCargo organization. Each user has an organization-level role:
| Role | Description |
|---|---|
| Owner | Full organization access, all projects |
| Member | Basic organization membership |
Organization Owners with appropriate permissions can update user roles from the actions menu on each row.
Teams
Teams let you group organization members for easier project access management. Instead of granting access user by user, assign a team to a project and all team members receive the same role.
Click a team name to view its detail page, which lists all current members with their GitHub avatars and names.
GitHub Team Sync
Team membership in CodeCargo reflects your GitHub organization's team structure. Changes to GitHub team membership are synced automatically.
Project Access
Each project has its own Access page where you control who can view and manage project resources. Navigate to a project and click Access in the sidebar.
Project Roles
| Role | Description |
|---|---|
| Admin | Full access to project resources and settings |
| Editor | Can manage self-service workflows and project content |
| Viewer | Read-only access to project resources |
Granting Access
Click Grant to add a user or team to the project. Select whether you are adding a user or a team, choose the member, and assign a role.
Access Sources
Project access can come from multiple sources. The access list shows the origin of each entry:
| Source | Description | Editable? |
|---|---|---|
| Explicit | Manually granted in CodeCargo | Yes |
| Org Owner | User is an organization owner (automatic full access) | No |
| Org Default | Inherited from the organization-level default role | No |
| User Default | User's personal default project role | No |
| Team Default | Team's default project role | No |
| Repo Access | Granted via GitHub repository permissions | No |
Only Explicit access entries can be updated or removed. Non-explicit entries can be "upgraded" — granting explicit access replaces the implicit entry.
Organization Owners automatically have access to all projects and cannot be downgraded.
Personal Access Tokens
Personal Access Tokens (PATs) allow you to authenticate with the CodeCargo API programmatically. Manage your tokens from Profile → Personal Access Tokens.
Creating a Token
- Click Create Access Token
- Optionally set an expiration date — leave empty for a token that never expires
- Click Create
- Copy the token immediately — it will not be shown again
Token Status
| Status | Description |
|---|---|
| Active | Token is valid and can be used for API calls |
| Expired | Token has passed its expiration date |
| Never Used | Token has been created but never used |
Managing Tokens
From the actions menu on each token you can:
- Edit — update the expiration date
- Delete — permanently revoke the token (requires confirmation)
The token list shows each token's short ID, status, last used timestamp, and expiration date.
GitHub Permissions Integration
CodeCargo's access model integrates with GitHub in several ways:
- Repository Access: Users who have access to a GitHub repository linked to a project automatically gain project access (shown as "Repo Access" source)
- Organization Owners: GitHub organization owners receive automatic full access to all CodeCargo projects
- Team Sync: CodeCargo team membership is synced from your GitHub organization's team structure
- Explicit Overrides: You can always grant explicit CodeCargo access that supplements or overrides GitHub-based permissions
Permission Hierarchy
Explicit CodeCargo permissions take precedence over GitHub-inherited permissions. When you explicitly grant access, the implicit entry is replaced. This lets you upgrade a user from viewer (via repo access) to editor or admin as needed.