improvement(permissions): added ability to auto-add new org members to existing permission group, disallow disabling of start block

waleedlatif1 · waleedlatif1 · commit 62aa4627cb0e · 2026-01-15T08:40:18.000-08:00
diff --git a/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts b/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
@@ -4,6 +4,8 @@ import {
   invitation,
   member,
   organization,
+  permissionGroup,
+  permissionGroupMember,
   permissions,
   subscription as subscriptionTable,
   user,
@@ -17,6 +19,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getEmailSubject, renderInvitationEmail } from '@/components/emails'
 import { getSession } from '@/lib/auth'
+import { hasAccessControlAccess } from '@/lib/billing'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { sendEmail } from '@/lib/messaging/email/mailer'
@@ -382,6 +385,47 @@ export async function PUT(
           // Don't fail the whole invitation acceptance due to this
         }
 
+        // Auto-assign to permission group if one has autoAddNewMembers enabled
+        try {
+          const hasAccessControl = await hasAccessControlAccess(session.user.id)
+          if (hasAccessControl) {
+            const [autoAddGroup] = await tx
+              .select({ id: permissionGroup.id, name: permissionGroup.name })
+              .from(permissionGroup)
+              .where(
+                and(
+                  eq(permissionGroup.organizationId, organizationId),
+                  eq(permissionGroup.autoAddNewMembers, true)
+                )
+              )
+              .limit(1)
+
+            if (autoAddGroup) {
+              await tx.insert(permissionGroupMember).values({
+                id: randomUUID(),
+                permissionGroupId: autoAddGroup.id,
+                userId: session.user.id,
+                assignedBy: null,
+                assignedAt: new Date(),
+              })
+
+              logger.info('Auto-assigned new member to permission group', {
+                userId: session.user.id,
+                organizationId,
+                permissionGroupId: autoAddGroup.id,
+                permissionGroupName: autoAddGroup.name,
+              })
+            }
+          }
+        } catch (error) {
+          logger.error('Failed to auto-assign user to permission group', {
+            userId: session.user.id,
+            organizationId,
+            error,
+          })
+          // Don't fail the whole invitation acceptance due to this
+        }
+
         const linkedWorkspaceInvitations = await tx
           .select()
           .from(workspaceInvitation)
diff --git a/apps/sim/app/api/permission-groups/[id]/route.ts b/apps/sim/app/api/permission-groups/[id]/route.ts
@@ -31,6 +31,7 @@ const updateSchema = z.object({
   name: z.string().trim().min(1).max(100).optional(),
   description: z.string().max(500).nullable().optional(),
   config: configSchema.optional(),
+  autoAddNewMembers: z.boolean().optional(),
 })
 
 async function getPermissionGroupWithAccess(groupId: string, userId: string) {
@@ -44,6 +45,7 @@ async function getPermissionGroupWithAccess(groupId: string, userId: string) {
       createdBy: permissionGroup.createdBy,
       createdAt: permissionGroup.createdAt,
       updatedAt: permissionGroup.updatedAt,
+      autoAddNewMembers: permissionGroup.autoAddNewMembers,
     })
     .from(permissionGroup)
     .where(eq(permissionGroup.id, groupId))
@@ -140,11 +142,27 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
       ? { ...currentConfig, ...updates.config }
       : currentConfig
 
+    // If setting autoAddNewMembers to true, unset it on other groups in the org first
+    if (updates.autoAddNewMembers === true) {
+      await db
+        .update(permissionGroup)
+        .set({ autoAddNewMembers: false, updatedAt: new Date() })
+        .where(
+          and(
+            eq(permissionGroup.organizationId, result.group.organizationId),
+            eq(permissionGroup.autoAddNewMembers, true)
+          )
+        )
+    }
+
     await db
       .update(permissionGroup)
       .set({
         ...(updates.name !== undefined && { name: updates.name }),
         ...(updates.description !== undefined && { description: updates.description }),
+        ...(updates.autoAddNewMembers !== undefined && {
+          autoAddNewMembers: updates.autoAddNewMembers,
+        }),
         config: newConfig,
         updatedAt: new Date(),
       })
diff --git a/apps/sim/app/api/permission-groups/route.ts b/apps/sim/app/api/permission-groups/route.ts
@@ -33,6 +33,7 @@ const createSchema = z.object({
   name: z.string().trim().min(1).max(100),
   description: z.string().max(500).optional(),
   config: configSchema.optional(),
+  autoAddNewMembers: z.boolean().optional(),
 })
 
 export async function GET(req: Request) {
@@ -68,6 +69,7 @@ export async function GET(req: Request) {
       createdBy: permissionGroup.createdBy,
       createdAt: permissionGroup.createdAt,
       updatedAt: permissionGroup.updatedAt,
+      autoAddNewMembers: permissionGroup.autoAddNewMembers,
       creatorName: user.name,
       creatorEmail: user.email,
     })
@@ -111,7 +113,8 @@ export async function POST(req: Request) {
     }
 
     const body = await req.json()
-    const { organizationId, name, description, config } = createSchema.parse(body)
+    const { organizationId, name, description, config, autoAddNewMembers } =
+      createSchema.parse(body)
 
     const membership = await db
       .select({ id: member.id, role: member.role })
@@ -154,6 +157,19 @@ export async function POST(req: Request) {
       ...config,
     }
 
+    // If autoAddNewMembers is true, unset it on any existing groups first
+    if (autoAddNewMembers) {
+      await db
+        .update(permissionGroup)
+        .set({ autoAddNewMembers: false, updatedAt: new Date() })
+        .where(
+          and(
+            eq(permissionGroup.organizationId, organizationId),
+            eq(permissionGroup.autoAddNewMembers, true)
+          )
+        )
+    }
+
     const now = new Date()
     const newGroup = {
       id: crypto.randomUUID(),
@@ -164,6 +180,7 @@ export async function POST(req: Request) {
       createdBy: session.user.id,
       createdAt: now,
       updatedAt: now,
+      autoAddNewMembers: autoAddNewMembers || false,
     }
 
     await db.insert(permissionGroup).values(newGroup)
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/access-control/access-control.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/access-control/access-control.tsx
@@ -268,6 +268,7 @@ export function AccessControl() {
   const [viewingGroup, setViewingGroup] = useState<PermissionGroup | null>(null)
   const [newGroupName, setNewGroupName] = useState('')
   const [newGroupDescription, setNewGroupDescription] = useState('')
+  const [newGroupAutoAdd, setNewGroupAutoAdd] = useState(false)
   const [createError, setCreateError] = useState<string | null>(null)
   const [deletingGroup, setDeletingGroup] = useState<{ id: string; name: string } | null>(null)
   const [deletingGroupIds, setDeletingGroupIds] = useState<Set<string>>(new Set())
@@ -417,14 +418,16 @@ export function AccessControl() {
     if (!newGroupName.trim() || !activeOrganization?.id) return
     setCreateError(null)
     try {
-      const result = await createPermissionGroup.mutateAsync({
+      await createPermissionGroup.mutateAsync({
         organizationId: activeOrganization.id,
         name: newGroupName.trim(),
         description: newGroupDescription.trim() || undefined,
+        autoAddNewMembers: newGroupAutoAdd,
       })
       setShowCreateModal(false)
       setNewGroupName('')
       setNewGroupDescription('')
+      setNewGroupAutoAdd(false)
     } catch (error) {
       logger.error('Failed to create permission group', error)
       if (error instanceof Error) {
@@ -433,12 +436,19 @@ export function AccessControl() {
         setCreateError('Failed to create permission group')
       }
     }
-  }, [newGroupName, newGroupDescription, activeOrganization?.id, createPermissionGroup])
+  }, [
+    newGroupName,
+    newGroupDescription,
+    newGroupAutoAdd,
+    activeOrganization?.id,
+    createPermissionGroup,
+  ])
 
   const handleCloseCreateModal = useCallback(() => {
     setShowCreateModal(false)
     setNewGroupName('')
     setNewGroupDescription('')
+    setNewGroupAutoAdd(false)
     setCreateError(null)
   }, [])
 
@@ -533,6 +543,23 @@ export function AccessControl() {
     }
   }, [viewingGroup, selectedMemberIds, bulkAddMembers])
 
+  const handleToggleAutoAdd = useCallback(
+    async (enabled: boolean) => {
+      if (!viewingGroup || !activeOrganization?.id) return
+      try {
+        await updatePermissionGroup.mutateAsync({
+          id: viewingGroup.id,
+          organizationId: activeOrganization.id,
+          autoAddNewMembers: enabled,
+        })
+        setViewingGroup((prev) => (prev ? { ...prev, autoAddNewMembers: enabled } : null))
+      } catch (error) {
+        logger.error('Failed to toggle auto-add', error)
+      }
+    },
+    [viewingGroup, activeOrganization?.id, updatePermissionGroup]
+  )
+
   const toggleIntegration = useCallback(
     (blockType: string) => {
       if (!editingConfig) return
@@ -630,6 +657,22 @@ export function AccessControl() {
             )}
           </div>
 
+          <div className='flex items-center justify-between rounded-[8px] border border-[var(--border)] px-[12px] py-[10px]'>
+            <div className='flex flex-col gap-[2px]'>
+              <span className='font-medium text-[13px] text-[var(--text-primary)]'>
+                Auto-add new members
+              </span>
+              <span className='text-[12px] text-[var(--text-muted)]'>
+                Automatically add new organization members to this group
+              </span>
+            </div>
+            <Checkbox
+              checked={viewingGroup.autoAddNewMembers}
+              onCheckedChange={(checked) => handleToggleAutoAdd(checked === true)}
+              disabled={updatePermissionGroup.isPending}
+            />
+          </div>
+
           <div className='min-h-0 flex-1 overflow-y-auto'>
             <div className='flex flex-col gap-[16px]'>
               <div className='flex items-center justify-between'>
@@ -814,7 +857,13 @@ export function AccessControl() {
                             editingConfig?.allowedIntegrations === null ||
                             editingConfig?.allowedIntegrations?.length === allBlocks.length
                           setEditingConfig((prev) =>
-                            prev ? { ...prev, allowedIntegrations: allAllowed ? [] : null } : prev
+                            prev
+                              ? {
+                                  ...prev,
+                                  // When deselecting all, keep start_trigger allowed (it should never be disabled)
+                                  allowedIntegrations: allAllowed ? ['start_trigger'] : null,
+                                }
+                              : prev
                           )
                         }}
                       >
@@ -1058,7 +1107,14 @@ export function AccessControl() {
               {filteredGroups.map((group) => (
                 <div key={group.id} className='flex items-center justify-between'>
                   <div className='flex flex-col'>
-                    <span className='font-medium text-[14px]'>{group.name}</span>
+                    <div className='flex items-center gap-[8px]'>
+                      <span className='font-medium text-[14px]'>{group.name}</span>
+                      {group.autoAddNewMembers && (
+                        <span className='rounded-[4px] bg-[var(--surface-3)] px-[6px] py-[2px] text-[10px] text-[var(--text-muted)]'>
+                          Auto-enrolls
+                        </span>
+                      )}
+                    </div>
                     <span className='text-[13px] text-[var(--text-muted)]'>
                       {group.memberCount} member{group.memberCount !== 1 ? 's' : ''}
                     </span>
@@ -1106,6 +1162,16 @@ export function AccessControl() {
                   placeholder='e.g., Limited access for marketing users'
                 />
               </div>
+              <div className='flex items-center gap-[8px]'>
+                <Checkbox
+                  id='auto-add-members'
+                  checked={newGroupAutoAdd}
+                  onCheckedChange={(checked) => setNewGroupAutoAdd(checked === true)}
+                />
+                <Label htmlFor='auto-add-members' className='cursor-pointer font-normal'>
+                  Auto-add new organization members
+                </Label>
+              </div>
               {createError && <p className='text-[12px] text-[var(--text-error)]'>{createError}</p>}
             </div>
           </ModalBody>
diff --git a/apps/sim/hooks/queries/permission-groups.ts b/apps/sim/hooks/queries/permission-groups.ts
@@ -13,6 +13,7 @@ export interface PermissionGroup {
   creatorName: string | null
   creatorEmail: string | null
   memberCount: number
+  autoAddNewMembers: boolean
 }
 
 export interface PermissionGroupMember {
@@ -111,6 +112,7 @@ export interface CreatePermissionGroupData {
   name: string
   description?: string
   config?: Partial<PermissionGroupConfig>
+  autoAddNewMembers?: boolean
 }
 
 export function useCreatePermissionGroup() {
@@ -143,6 +145,7 @@ export interface UpdatePermissionGroupData {
   name?: string
   description?: string | null
   config?: Partial<PermissionGroupConfig>
+  autoAddNewMembers?: boolean
 }
 
 export function useUpdatePermissionGroup() {
diff --git a/apps/sim/hooks/use-permission-config.ts b/apps/sim/hooks/use-permission-config.ts
@@ -35,6 +35,8 @@ export function usePermissionConfig(): PermissionConfigResult {
 
   const isBlockAllowed = useMemo(() => {
     return (blockType: string) => {
+      // start_trigger should always be allowed (it should never be disabled)
+      if (blockType === 'start_trigger') return true
       if (config.allowedIntegrations === null) return true
       return config.allowedIntegrations.includes(blockType)
     }
@@ -50,7 +52,11 @@ export function usePermissionConfig(): PermissionConfigResult {
   const filterBlocks = useMemo(() => {
     return <T extends { type: string }>(blocks: T[]): T[] => {
       if (config.allowedIntegrations === null) return blocks
-      return blocks.filter((block) => config.allowedIntegrations!.includes(block.type))
+      // start_trigger should always be included (it should never be disabled)
+      return blocks.filter(
+        (block) =>
+          block.type === 'start_trigger' || config.allowedIntegrations!.includes(block.type)
+      )
     }
   }, [config.allowedIntegrations])
 
diff --git a/packages/db/schema.ts b/packages/db/schema.ts
@@ -2078,6 +2078,7 @@ export const permissionGroup = pgTable(
       .references(() => user.id, { onDelete: 'cascade' }),
     createdAt: timestamp('created_at').notNull().defaultNow(),
     updatedAt: timestamp('updated_at').notNull().defaultNow(),
+    autoAddNewMembers: boolean('auto_add_new_members').notNull().default(false),
   },
   (table) => ({
     organizationIdIdx: index('permission_group_organization_id_idx').on(table.organizationId),
@@ -2086,6 +2087,9 @@ export const permissionGroup = pgTable(
       table.organizationId,
       table.name
     ),
+    autoAddNewMembersUnique: uniqueIndex('permission_group_org_auto_add_unique')
+      .on(table.organizationId)
+      .where(sql`auto_add_new_members = true`),
   })
 )
 

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ export interface PermissionGroup {`
`13`	`13`	`creatorName: string \| null`
`14`	`14`	`creatorEmail: string \| null`
`15`	`15`	`memberCount: number`
	`16`	`+ autoAddNewMembers: boolean`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`export interface PermissionGroupMember {`
`@@ -111,6 +112,7 @@ export interface CreatePermissionGroupData {`
`111`	`112`	`name: string`
`112`	`113`	`description?: string`
`113`	`114`	`config?: Partial<PermissionGroupConfig>`
	`115`	`+ autoAddNewMembers?: boolean`
`114`	`116`	`}`
`115`	`117`
`116`	`118`	`export function useCreatePermissionGroup() {`
`@@ -143,6 +145,7 @@ export interface UpdatePermissionGroupData {`
`143`	`145`	`name?: string`
`144`	`146`	`description?: string \| null`
`145`	`147`	`config?: Partial<PermissionGroupConfig>`
	`148`	`+ autoAddNewMembers?: boolean`
`146`	`149`	`}`
`147`	`150`
`148`	`151`	`export function useUpdatePermissionGroup() {`