Creative permissions and access

Last updated: May 19, 2026

Creative permissions and access

Creative Hub access is governed by two independent layers — both must allow access for a user to interact with a file. Layer 1: Wevion RBAC via creative-hub.helpers.ts controls in-app visibility (super_admin / owner see all teammates; others see own + explicit shares). Layer 2: Google Drive permissions control external direct access via Drive UI. Audit log records actions on both layers. This is the admin-facing summary; mechanics in ch-109.

Who is this for

Admins setting up team folder structures. Owners reviewing creative access for compliance. Anyone needing a single page to understand who can see what.

Permission matrix

Wevion in-app visibility

Role

What's visible in Creative Hub

super_admin

All teammates' folders + files (canViewTeam flag)

owner

All teammates' folders + files (canViewTeam flag)

admin

Own folder + explicitly shared team folders

manager

Own folder + explicitly shared team folders

mediabuyer

Own folder + explicitly shared team folders

finance

No Creative Hub access by default

viewer

Read-only on explicit shares

Enforced by getVisibleSessionIds(userId, teamId) in apps/backend/src/services/creative-hub/creative-hub.helpers.ts. File list / folder list endpoints filter by this list before responding.

Google Drive external sharing

Drive role

Permissions

writer

Read + edit (Wevion default for shares via ch-105)

reader

Read only (available via Drive UI; Wevion doesn't default to this)

Granted to specific emails via Drive permissions API. Independent of Wevion roles.

Action-by-action permissions

Action

Required permission

View Creative Hub

mediabuyer+ AND Wevion RBAC visibility

Upload file

mediabuyer+

Create folder

mediabuyer+

Rename file/folder

Own file OR canEditAll role

Delete file/folder

Own file OR admin+

Move file/folder

Own file OR canEditAll role

Share externally (Drive)

mediabuyer+

Use in Campaign Creator

mediabuyer+ AND can view file

Generate AI content

mediabuyer+ AND credit balance > 0 AND not over team_credit_cap

View teammate's folder

super_admin / owner only (canViewTeam)

Set team credit cap

owner / super_admin

Configure Drive integration

super_admin / owner (env-level admin)

Audit log

Both layers write to audit_log:

Action

Layer

Captured metadata

creative_view

Wevion

file_id, user_id

creative_team_folder_view

Wevion

viewed_session_id, by_user_id

creative_upload

Wevion

file_id, name, size, folder_id

creative_delete

Wevion

file_id, deleted_by

creative_share

Drive

file_id, shared_with_email, granted_by, role

creative_unshare

Drive

file_id, revoked_with_email, revoked_by

creative_generate

Wevion

job_id, provider, type, cost_cents

Query /api/v1/audit-logs?resource_type=creative* to see history.

Permission inheritance

Folders → contents

When you share a folder externally (Drive): all files inside inherit the share (Drive default cascade).

When you share a folder internally (Wevion team folder): subfolder visibility cascades.

Per-file overrides

To share an individual file (not the parent folder): use POST /api/v1/creative-hub/share/:fileId directly on the file. The file becomes accessible without cascading to siblings.

Common admin tasks

Onboard new mediabuyer

  1. Create user (via team-103 invite-member)

  2. Mediabuyer's ensureUserFolder() triggers on first upload (creates Drive root automatically)

  3. Optionally: share team brand-assets folder with new user

  4. Set credit cap if budget control needed

Offboard departing member

  1. Audit their Creative Hub folders: super_admin views via Members switcher

  2. Transfer or archive important files (move to team archive folder)

  3. Revoke their session (via team-101)

  4. Their files remain in Drive (owned by Service Account) — no data loss

  5. Audit external shares they granted: query audit_log?action=creative_share&user_id=...

Quarterly compliance audit

  1. List active Drive shares: audit_log?action=creative_share

  2. List active Drive shares NOT revoked: filter by no matching creative_unshare for same file

  3. Review with owners — revoke stale grants

  4. Check team_credit_cap usage trends — adjust caps if needed

Investigate "who deleted this file?"

  1. audit_log?action=creative_delete&resource_id={file_id}

  2. Returns user_id who deleted + timestamp

  3. Soft delete in Wevion (deleted_at set) but hard delete on Drive — recovery limited to Drive's trash retention

Limits + caveats

  • Wevion RBAC doesn't grant Drive access: super_admin seeing a teammate's file in Wevion does NOT mean super_admin can open it in Drive UI. For Drive access: explicit Drive share required.

  • Drive permissions persist on file copy: if you copy a file with shares, copies inherit (Drive default).

  • Finance role excluded: by design; rarely overridden.

  • Service Account owns everything: file ownership cannot be transferred to a user. This is intentional (clean offboarding).

Common mistakes

  • Confusing Wevion visibility with Drive access: independent layers; read ch-109 carefully

  • Sharing externally instead of using team folder: for teammates, internal mechanism is cleaner

  • Forgetting to revoke departed member's external shares: data leak risk

  • Setting credit cap too high "to be safe": defeats purpose; set conservative + raise on demand

Related