Team Access Denied Playbook
Who this is for
Org owners and admins helping a team member who cannot access certain features, or a team member who is unexpectedly getting "Access Denied" or "Forbidden" errors.
Role Summary
CloudAIPilot has three roles within an organization:
| Role | Can do |
|---|---|
| Owner | All actions, including billing, delete org, add/remove members, all admin actions |
| Admin | All operational actions: provision servers, create sites/apps, manage backups, modify cloud accounts |
| Member | Read-only: view servers, view sites, view apps, view backups, view monitoring |
If a team member cannot perform an action, it is likely because they have a member role when they need admin.
Step 1 — Identify the Access Error
Common FORBIDDEN error situations:
| Action | Minimum role required |
|---|---|
| View servers/sites/apps | Member |
| Create a backup | Member |
| Restore a backup | Admin |
| Delete a backup | Admin |
| Provision a server | Admin |
| Create/edit a site or app | Admin |
| Manage backup schedules | Admin |
| Add/remove cloud accounts | Admin |
| Add/remove team members | Owner |
| Delete the organization | Owner |
Step 2 — Check the Team Member's Role
- Go to Settings → Team.
- Find the team member.
- Check their current role (Member / Admin / Owner).
Step 3 — Update the Role (Owner Required)
Only the Owner can change roles.
- Go to Settings → Team.
- Click the Edit icon next to the team member.
- Change their role to Admin if they need operational access.
- Click Save.
Step 4 — Re-test Access
Ask the team member to:
- Log out of CloudAIPilot.
- Log back in.
- Retry the action.
Role changes take effect immediately but the frontend may cache the old role until the session is refreshed.
Common Access Issues
| Symptom | Likely cause | Fix |
|---|---|---|
| "Not authorized" on backup restore | User is a Member, not Admin | Promote to Admin |
| Cannot see the FinOps section | FinOps may be a higher-role or premium feature | Check feature availability for the org's plan |
| Team member cannot see org at all | They were removed from the org | Re-invite them via Settings → Team |
| Org shows but all data is blank | Session token expired or org switch not applied | Log out and log back in |
| Member can see servers but not create | Member role is correct behavior — read-only | Promote to Admin if creation is needed |
Related Articles
- KB-09-01: Invite Members and Role Basics
- KB-09-02: Current Role Model and Practical Governance
- KB-09-04: Access Troubleshooting for Team Members