Creative permissions and access

Two layers: Wevion RBAC (in-app visibility via getVisibleSessionIds — super_admin/admin all, owner self+team, others own) + Drive permissions (external folder sharing). No creative_* audit actions.

Written By Salvatore Sinigaglia

Last updated About 1 hour ago

Two layers: Wevion RBAC (in-app visibility via getVisibleSessionIds — super_admin/admin all, owner self+team, others own) + Drive permissions (external folder sharing). No creative_* audit actions.

Creative permissions and access

Creative Hub access is governed by two independent layers. Layer 1: Wevion RBAC via creative-hub.helpers.ts controls in-app visibility — super_admin / admin see all users, owner sees self + their team, every other role sees only their own. Layer 2: Google Drive permissions control external direct access via the Drive UI (folder-level writer share). Note: Creative Hub actions are not written to the Wevion audit log. This is the admin-facing summary; mechanics in ch-109.

Who is this for

Admins setting up team folder structures. Owners reviewing creative access for compliance. Anyone needing a single page to understand who can see what.

Permission matrix

Wevion in-app visibility

RoleWhat's visible in Creative Hub
super_adminAll users' folders + files
adminAll users' folders + files
ownerOwn folder + their team members' folders
managerOwn folder only
mediabuyerOwn folder only
financeOwn folder only
viewerOwn folder only

Enforced by getVisibleSessionIds(db, callerId, callerRole) in apps/backend/src/services/creative-hub/creative-hub.helpers.ts. Listing endpoints filter by this list before responding. There is no canViewTeam flag — the role decides visibility directly.

Google Drive external sharing

Drive rolePermissions
writerRead + edit (Wevion default for shares via ch-105)
readerRead only (available via Drive UI; Wevion doesn't default to this)

Granted to specific emails via Drive permissions API. Independent of Wevion roles.

Action-by-action permissions

ActionRequired permission
View Creative Hubmediabuyer+ AND Wevion RBAC visibility
Upload filemediabuyer+
Create foldermediabuyer+
Rename file/folderon files you can see
Delete file/folderon files you can see (moves to Drive trash)
Move file/folderon files you can see
Share externally (Drive)mediabuyer+ (shares your whole folder)
Use in Campaign Creatormediabuyer+ AND can view file
Generate AI contentmediabuyer+ (charged only when the creative_billing flag is ON)
View another user's foldersuper_admin / admin (all) or owner (their team)
Set team credit capowner / super_admin
Configure Drive integrationsuper_admin / owner (env-level admin)

Audit log

Creative Hub actions are not written to the Wevion audit log — there are no creative_* audit actions in the code (no creative_view, creative_upload, creative_delete, creative_share, creative_generate, etc.), and there is no creative_hub_file table to attach them to. To see who currently has external access to a user's folder, use GET /api/v1/creative-hub/shared-emails. The general audit log lives at /api/v1/audit-log and covers non-Creative-Hub lifecycle events.

Permission inheritance

Folders → contents

When you share externally (Drive), you grant access to the user's whole Creative Hub folder and everything inside it (Drive default cascade) — there is no per-file share.

Wevion in-app visibility follows the role rules above (super_admin / admin all, owner self+team, others own); it isn't a per-folder toggle.

No per-file share

There is no per-file share. The share flow (POST /api/v1/creative-hub/share, body { email }) grants writer on your entire folder. To share only a subset, keep those assets in a separate account/folder or share them directly from Google Drive.

Common admin tasks

Onboard new mediabuyer

  1. Create user (via team-103 invite-member)
  2. Mediabuyer's ensureUserFolder() triggers on first upload (creates Drive root automatically)
  3. Optionally: share team brand-assets folder with new user
  4. Set credit cap if budget control needed

Offboard departing member

  1. Audit their Creative Hub folders: super_admin / admin (all) or owner (their team) views via the Members switcher
  2. Transfer or archive important files (move to a team archive folder)
  3. Revoke their session (via team-101)
  4. Their files remain in Drive (owned by Service Account) — no data loss
  5. Review external shares they granted via GET /api/v1/creative-hub/shared-emails

Periodic compliance review

  1. List active external Drive grants via GET /api/v1/creative-hub/shared-emails
  2. Review with owners — revoke stale grants (POST /api/v1/creative-hub/unshare)
  3. Check team_credit_cap usage trends — adjust caps if needed

"Who deleted this file?"

There is no creative_delete audit action, so Wevion cannot attribute a deletion. Deletes move the item to Google Drive trash (trashed: true), so recovery is via Drive's trash within its retention window — check Drive directly.

Limits + caveats

  • Wevion RBAC doesn't grant Drive access: a super_admin/admin seeing another user's file in Wevion does NOT mean they can open it in the Drive UI. For Drive access an explicit Drive share is required.
  • Non-privileged roles see only their own folder: manager, mediabuyer, finance, and viewer see only their own Creative Hub folder (owner adds their team; super_admin/admin see all).
  • External share is folder-level: sharing grants access to the user's whole folder, not a single file.
  • Service Account owns everything: file ownership cannot be transferred to a user. This is intentional (clean offboarding).

Common mistakes

  • Confusing Wevion visibility with Drive access: independent layers; read ch-109 carefully
  • Sharing externally instead of using team folder: for teammates, internal mechanism is cleaner
  • Forgetting to revoke departed member's external shares: data leak risk
  • Setting credit cap too high "to be safe": defeats purpose; set conservative + raise on demand

FAQ

Who can see teammates' files in Wevion's Creative Hub?

super_admin and admin can see every user's folders and files in Wevion's Creative Hub; an owner sees their own plus their team members'; every other role (manager, mediabuyer, finance, viewer) sees only their own folder. Visibility is enforced by getVisibleSessionIds(db, callerId, callerRole), which filters listing endpoints before responding. There is no canViewTeam flag.

Does Wevion in-app visibility give someone access to the file in Google Drive?

No — the two layers are independent, so a super_admin or admin seeing another user's file in Wevion does not mean they can open it in the Drive UI. Wevion RBAC controls in-app visibility, while Google Drive permissions control external direct access. To grant Drive access you must create an explicit Drive share (folder-level, writer) to a specific email.

What happens to a departing member's Creative Hub files when I offboard them?

Their files remain in Drive with no data loss, because the Service Account owns everything and ownership cannot be transferred to a user. Before revoking their session, audit their folders via the Members switcher (as super_admin/admin/owner), transfer or archive important files, and review external shares they granted via GET /api/v1/creative-hub/shared-emails so you can revoke stale grants.

Are Creative Hub actions recorded for compliance?

No — Creative Hub actions are not written to the Wevion audit log. There are no creative_* audit actions in the code (no creative_view, creative_upload, creative_delete, creative_share, creative_generate) and no creative_hub_file table. For external access, GET /api/v1/creative-hub/shared-emails shows the current grants; AI generations are recorded as rows in the creative_job table.

What can the finance role do in Creative Hub?

The finance role sees only its own Creative Hub folder — like manager, mediabuyer, and viewer, it has no cross-user visibility. Only super_admin/admin see all users, and owner sees their team. So finance can use its own folder but can't browse others' creatives unless a folder is explicitly shared with it via Drive.

FAQ

Who can see teammates' files in Wevion's Creative Hub?

super_admin and admin can see every user's folders and files in Wevion's Creative Hub; an owner sees their own plus their team members'; every other role (manager, mediabuyer, finance, viewer) sees only their own folder. Visibility is enforced by getVisibleSessionIds(db, callerId, callerRole), which filters listing endpoints before responding. There is no canViewTeam flag.

Does Wevion in-app visibility give someone access to the file in Google Drive?

No — the two layers are independent, so a super_admin or admin seeing another user's file in Wevion does not mean they can open it in the Drive UI. Wevion RBAC controls in-app visibility, while Google Drive permissions control external direct access. To grant Drive access you must create an explicit Drive share (folder-level, writer) to a specific email.

What happens to a departing member's Creative Hub files when I offboard them?

Their files remain in Drive with no data loss, because the Service Account owns everything and ownership cannot be transferred to a user. Before revoking their session, audit their folders via the Members switcher (as super_admin/admin/owner), transfer or archive important files, and review external shares they granted via GET /api/v1/creative-hub/shared-emails so you can revoke stale grants.

Are Creative Hub actions recorded for compliance?

No — Creative Hub actions are not written to the Wevion audit log. There are no creative* audit actions in the code (no creativeview, creativeupload, creativedelete, creativeshare, creativegenerate) and no creativehubfile table. For external access, GET /api/v1/creative-hub/shared-emails shows the current grants; AI generations are recorded as rows in the creative_job table.

What can the finance role do in Creative Hub?

The finance role sees only its own Creative Hub folder — like manager, mediabuyer, and viewer, it has no cross-user visibility. Only super_admin/admin see all users, and owner sees their team. So finance can use its own folder but can't browse others' creatives unless a folder is explicitly shared with it via Drive.

Steps

  1. Create user (via team-103 invite-member)
  2. Mediabuyer's ensureUserFolder() triggers on first upload (creates Drive root automatically)
  3. Optionally: share team brand-assets folder with new user
  4. Set credit cap if budget control needed

Last updated: 2026-05-17