From eddfcc491aee33e62bbe4060ab2d7f0797009bd6 Mon Sep 17 00:00:00 2001
From: Nik Richers <nik@validmind.ai>
Date: Tue, 10 Feb 2026 12:27:13 -0800
Subject: [PATCH 1/4] Regenerate permissions documentation from backend source

- Add scripts/generate_permissions_docs.py to generate permissions tables
  from backend source files (data.json and org_initials.json)
- Replace hardcoded permissions tables with auto-generated content
- Add 18 previously missing resources (Attestation, Analytics, etc.)
- Add missing permissions (workflow execution, delete comments, etc.)
- Document model-level permissions with correct roles:
  - Model Owner, Model Developer, Model Validator, Basic User
- Apply UI terminology mapping (Finding -> Artifact)
- Add role descriptions for both org-level and model-level roles
- Restructure page to explain two-level permission system
---
 scripts/generate_permissions_docs.py          | 348 ++++++++++++++++++
 .../configuration/_permissions-generated.qmd  | 337 +++++++++++++++++
 .../configuration/manage-permissions.qmd      | 193 +---------
 3 files changed, 696 insertions(+), 182 deletions(-)
 create mode 100644 scripts/generate_permissions_docs.py
 create mode 100644 site/guide/configuration/_permissions-generated.qmd

diff --git a/scripts/generate_permissions_docs.py b/scripts/generate_permissions_docs.py
new file mode 100644
index 0000000000..9e9484fdaa
--- /dev/null
+++ b/scripts/generate_permissions_docs.py
@@ -0,0 +1,348 @@
+#!/usr/bin/env python3
+"""
+Generate permissions documentation from backend source files.
+
+This script reads the permission definitions from the backend repository
+and generates Quarto markdown tables for the documentation.
+
+Source files:
+- backend/src/backend/templates/platform_resources/data.json
+- backend/src/backend/templates/platform_resources/org_initials.json
+
+Usage:
+    python scripts/generate_permissions_docs.py
+
+Output:
+    site/guide/configuration/_permissions-generated.qmd
+"""
+
+import json
+import os
+import re
+from pathlib import Path
+from typing import Any
+
+# Paths relative to documentation repo root
+SCRIPT_DIR = Path(__file__).parent
+REPO_ROOT = SCRIPT_DIR.parent
+BACKEND_ROOT = REPO_ROOT.parent / "backend"
+
+DATA_JSON = BACKEND_ROOT / "src/backend/templates/platform_resources/data.json"
+ROLES_JSON = BACKEND_ROOT / "src/backend/templates/platform_resources/org_initials.json"
+OUTPUT_FILE = REPO_ROOT / "site/guide/configuration/_permissions-generated.qmd"
+
+# UI terminology mapping (Finding -> Artifact)
+TERMINOLOGY_MAP = {
+    "Finding": "Artifact",
+    "finding": "artifact",
+}
+
+
+def format_action_name(action_id: str, action_name: str | None = None) -> str:
+    """Format action ID into human-readable name."""
+    # Use provided name if available
+    if action_name:
+        name = action_name
+    else:
+        name = action_id
+    
+    # Remove common prefixes
+    for prefix in ["read_", "create_", "update_", "delete_", "add_", "manage_"]:
+        if name.startswith(prefix):
+            name = name[len(prefix):]
+            break
+    
+    # Replace underscores with spaces
+    name = name.replace("_", " ")
+    
+    # Capitalize first letter of each word
+    name = " ".join(word.capitalize() for word in name.split())
+    
+    # Apply terminology mapping
+    for old, new in TERMINOLOGY_MAP.items():
+        name = name.replace(old, new)
+    
+    return name
+
+
+def format_resource_name(name: str) -> str:
+    """Format resource name for display."""
+    # Apply terminology mapping
+    for old, new in TERMINOLOGY_MAP.items():
+        name = name.replace(old, new)
+    return name
+
+
+def get_action_display_name(action: dict) -> str:
+    """Get display name for an action."""
+    action_id = action.get("id", "")
+    action_name = action.get("name", "")
+    description = action.get("description", "")
+    
+    # Build display name from action name or ID
+    if action_name and action_name not in ["read", "create", "update", "delete", "add"]:
+        display = action_name.replace("_", " ").title()
+    else:
+        # Use action_id but format it nicely
+        display = action_id.replace("_", " ").title()
+    
+    # Apply terminology mapping
+    for old, new in TERMINOLOGY_MAP.items():
+        display = display.replace(old, new)
+    
+    return display
+
+
+def checkbox(checked: bool) -> str:
+    """Return HTML checkbox markup."""
+    if checked:
+        return '<input type="checkbox" disabled checked />'
+    return '<input type="checkbox" disabled />'
+
+
+def load_json(path: Path) -> Any:
+    """Load JSON file."""
+    with open(path, "r") as f:
+        return json.load(f)
+
+
+def get_role_permissions(roles_data: dict) -> dict:
+    """Extract permissions for each role."""
+    defaults = roles_data.get("defaults", {})
+    all_roles_perms = set(defaults.get("all_roles", []))
+    model_scope_perms = set(defaults.get("model_scope_roles", []))
+    
+    role_perms = {}
+    for role_name, role_data in roles_data.get("roles", {}).items():
+        if role_name in ["Staff"]:  # Skip internal roles
+            continue
+        perms = set(role_data.get("permissions", []))
+        scope = role_data.get("scope", "Organization")
+        is_basic = role_data.get("is_basic_role", False)
+        
+        # Add default permissions
+        if scope == "Organization":
+            perms = perms.union(all_roles_perms)
+        elif scope == "Model":
+            perms = perms.union(model_scope_perms).union(all_roles_perms)
+        
+        role_perms[role_name] = {
+            "permissions": perms,
+            "scope": scope,
+            "is_basic": is_basic,
+        }
+    
+    return role_perms
+
+
+def has_permission(role_perms: dict, role_name: str, action_id: str) -> bool:
+    """Check if a role has a specific permission."""
+    if role_name not in role_perms:
+        return False
+    
+    perms = role_perms[role_name]["permissions"]
+    
+    # Direct match
+    if action_id in perms:
+        return True
+    
+    # Wildcard match (e.g., read_cf_* matches read_cf_anything)
+    for perm in perms:
+        if perm.endswith("*"):
+            prefix = perm[:-1]
+            if action_id.startswith(prefix):
+                return True
+    
+    # Customer Admin has all permissions
+    if role_name == "Customer Admin":
+        return True
+    
+    return False
+
+
+def generate_org_permissions_table(
+    resources: list, role_perms: dict, org_roles: list
+) -> str:
+    """Generate markdown table for organization-level permissions."""
+    lines = []
+    
+    for resource in resources:
+        resource_id = resource.get("id", "")
+        resource_name = format_resource_name(resource.get("name", resource_id))
+        parent_id = resource.get("parent_id")
+        actions = resource.get("actions", [])
+        
+        # Skip if no actions or if model-scoped
+        if not actions or parent_id == "Model":
+            continue
+        
+        # Skip internal resources
+        if resource_id.startswith("dt_") or resource_id in ["WorkflowStatus"]:
+            continue
+        
+        lines.append(f"\n#### {resource_name}\n")
+        
+        # Build header
+        header = "| Permission |"
+        sep = "|---|"
+        for role in org_roles:
+            header += f" {role} |"
+            sep += ":---:|"
+        lines.append(header)
+        lines.append(sep)
+        
+        # Build rows
+        for action in actions:
+            action_id = action.get("id", "")
+            is_visible = action.get("is_visible", True)
+            if not is_visible:
+                continue
+            
+            display_name = get_action_display_name(action)
+            row = f"| {display_name} |"
+            
+            for role in org_roles:
+                checked = has_permission(role_perms, role, action_id)
+                row += f" {checkbox(checked)} |"
+            
+            lines.append(row)
+        
+        lines.append(f': **{resource_name}** permissions {{.hover tbl-colwidths="[40,20,20,20]"}}')
+    
+    return "\n".join(lines)
+
+
+def generate_model_permissions_table(
+    resources: list, role_perms: dict, model_roles: list
+) -> str:
+    """Generate markdown table for model-level permissions."""
+    lines = []
+    
+    for resource in resources:
+        resource_id = resource.get("id", "")
+        resource_name = format_resource_name(resource.get("name", resource_id))
+        parent_id = resource.get("parent_id")
+        actions = resource.get("actions", [])
+        
+        # Only include model-scoped resources
+        if parent_id != "Model" or not actions:
+            continue
+        
+        # Skip dt_ resources (document types) - internal
+        if resource_id.startswith("dt_"):
+            continue
+        
+        lines.append(f"\n#### {resource_name}\n")
+        
+        # Build header
+        header = "| Permission |"
+        sep = "|---|"
+        for role in model_roles:
+            header += f" {role} |"
+            sep += ":---:|"
+        lines.append(header)
+        lines.append(sep)
+        
+        # Build rows
+        for action in actions:
+            action_id = action.get("id", "")
+            is_visible = action.get("is_visible", True)
+            if not is_visible:
+                continue
+            
+            display_name = get_action_display_name(action)
+            row = f"| {display_name} |"
+            
+            for role in model_roles:
+                checked = has_permission(role_perms, role, action_id)
+                row += f" {checkbox(checked)} |"
+            
+            lines.append(row)
+        
+        lines.append(f': **{resource_name}** permissions {{.hover tbl-colwidths="[28,18,18,18,18]"}}')
+    
+    return "\n".join(lines)
+
+
+def main():
+    """Generate permissions documentation."""
+    print(f"Loading {DATA_JSON}")
+    resources = load_json(DATA_JSON)
+    
+    print(f"Loading {ROLES_JSON}")
+    roles_data = load_json(ROLES_JSON)
+    role_perms = get_role_permissions(roles_data)
+    
+    # Define role groups
+    org_roles = ["Customer Admin", "Developer", "Validator"]
+    model_roles = ["Model Owner", "Model Developer", "Model Validator", "Basic User"]
+    
+    # Generate output
+    output = []
+    
+    output.append("""<!---
+This file is auto-generated by scripts/generate_permissions_docs.py
+Do not edit directly. Re-run the script to update.
+
+Source files:
+- backend/src/backend/templates/platform_resources/data.json
+- backend/src/backend/templates/platform_resources/org_initials.json
+--->
+
+## Organization-level permissions
+
+Organization-level permissions apply to all users in your organization based on their assigned role. These permissions control access to platform-wide settings and configurations.
+
+::: {.callout-note}
+The [{{< fa hand >}} Customer Admin]{.bubble} role has full access to all organization-level permissions and cannot be modified.
+:::
+""")
+    
+    output.append(generate_org_permissions_table(resources, role_perms, org_roles))
+    
+    output.append("""
+
+## Model-level permissions
+
+Model-level permissions control what users can do within the context of a specific model. Users are assigned model-level roles when they are added as stakeholders to a model.
+
+::: {.callout-tip}
+Model-level permissions are additive to organization-level permissions. A user with the Validator role at the organization level who is also assigned as Model Validator on a specific model will have both sets of permissions for that model.
+:::
+""")
+    
+    output.append(generate_model_permissions_table(resources, role_perms, model_roles))
+    
+    output.append("""
+
+## Role descriptions
+
+### Organization-level roles
+
+| Role | Description |
+|------|-------------|
+| Customer Admin | Full administrative access to the organization. Can manage users, roles, and all settings. |
+| Validator | Can create and manage models, templates, guidelines, and perform validation activities. |
+| Developer | Can create models and view organization settings. Limited administrative access. |
+| Basic User | Minimal permissions. Can only access models they are explicitly added to as stakeholders. |
+
+### Model-level roles
+
+| Role | Description |
+|------|-------------|
+| Model Owner | Full control over a specific model including deletion and stakeholder management. |
+| Model Developer | Can edit model documentation and monitoring. |
+| Model Validator | Can perform validation activities, add findings, and edit validation reports. |
+: Role descriptions {.hover}
+""")
+    
+    # Write output
+    OUTPUT_FILE.parent.mkdir(parents=True, exist_ok=True)
+    with open(OUTPUT_FILE, "w") as f:
+        f.write("\n".join(output))
+    
+    print(f"Generated {OUTPUT_FILE}")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/site/guide/configuration/_permissions-generated.qmd b/site/guide/configuration/_permissions-generated.qmd
new file mode 100644
index 0000000000..f635280b56
--- /dev/null
+++ b/site/guide/configuration/_permissions-generated.qmd
@@ -0,0 +1,337 @@
+<!---
+This file is auto-generated by scripts/generate_permissions_docs.py
+Do not edit directly. Re-run the script to update.
+
+Source files:
+- backend/src/backend/templates/platform_resources/data.json
+- backend/src/backend/templates/platform_resources/org_initials.json
+--->
+
+## Organization-level permissions
+
+Organization-level permissions apply to all users in your organization based on their assigned role. These permissions control access to platform-wide settings and configurations.
+
+::: {.callout-note}
+The [{{< fa hand >}} Customer Admin]{.bubble} role has full access to all organization-level permissions and cannot be modified.
+:::
+
+
+#### Model
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Log Tracking | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Update Model | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Create Model | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Delete Model | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Download Vr | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read Model | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Download Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Model** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Role
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Delete Role | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Create Role | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read Role | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Update Role | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Role** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Group
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Create Group | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read Group | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Group | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Delete Group | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Group** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### User
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Create User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Update User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Delete User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **User** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Organization
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Invite User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Create Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Delete Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Organization** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Template
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Update Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Duplicate | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Read Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Create Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Delete Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Template** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Workflow
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Create Workflow | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read Workflow | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Update Workflow | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Delete Workflow | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Execution-Read | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Execution-Manage | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Workflow** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Document Type
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Create Document Type | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read Document Type | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Document Type | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Delete Document Type | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Document Type** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Artifact Types
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Manage Artifact Types | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Artifact Types** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Artifact Severity
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Artifact Severity | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Manage | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Artifact Severity** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Attestation
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Add Attestation | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read Attestation | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Attestation | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Delete Attestation | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Attestation** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Analytics
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Analytics | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Analytics | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Analytics** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Inventory Model Schema
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Inventory Schema | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Inventory Schema | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Inventory Model Schema** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Artifact Schema
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Artifact Schema | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Artifact Schema | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Artifact Schema** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Use Case
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Use Case | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Add Use Case | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Update Use Case | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Delete Use Case | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Use Case** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Risk Area
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Risk Area | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Update Risk Area | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Delete Risk Area | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Add Risk Area | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Risk Area** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Business Unit
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Add Business Unit | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Read Business Unit | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Business Unit | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Delete Business Unit | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Business Unit** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Guideline Assessment Option
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Add Assessment Option | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Read Assessment Option | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Assessment Option | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Delete Assessment Option | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Guideline Assessment Option** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Guidelines
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Add Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Read Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+| Delete Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
+: **Guidelines** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Status
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Add Status | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Read Status | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Update Status | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Delete Status | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+: **Status** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### BlockLibrary
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Manage Shared Block Library | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+: **BlockLibrary** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### ValidChecker Question
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Validchecker Question | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Manage | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **ValidChecker Question** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### ValidChecker Assessment Version
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Validchecker Assessment Version | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Manage | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **ValidChecker Assessment Version** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Regulation
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Regulation | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Manage | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Regulation** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+#### Primary Record Type
+
+| Permission | Customer Admin | Developer | Validator |
+|---|:---:|:---:|:---:|
+| Read Primary Record Type | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Manage | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Primary Record Type** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+
+
+## Model-level permissions
+
+Model-level permissions control what users can do within the context of a specific model. Users are assigned model-level roles when they are added as stakeholders to a model.
+
+::: {.callout-tip}
+Model-level permissions are additive to organization-level permissions. A user with the Validator role at the organization level who is also assigned as Model Validator on a specific model will have both sets of permissions for that model.
+:::
+
+
+#### Model Artifact Remediation Plan
+
+| Permission | Model Owner | Model Developer | Model Validator | Basic User |
+|---|:---:|:---:|:---:|:---:|
+| Update Artifact Remediation Plan | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+: **Model Artifact Remediation Plan** permissions {.hover tbl-colwidths="[28,18,18,18,18]"}
+
+#### Inventory Model User
+
+| Permission | Model Owner | Model Developer | Model Validator | Basic User |
+|---|:---:|:---:|:---:|:---:|
+| Add Model User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Delete Model User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+: **Inventory Model User** permissions {.hover tbl-colwidths="[28,18,18,18,18]"}
+
+#### Model Validation Report
+
+| Permission | Model Owner | Model Developer | Model Validator | Basic User |
+|---|:---:|:---:|:---:|:---:|
+| Delete Comment | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Read Vr | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Assess Guideline | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Add Block | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Remove Block | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Update Vr | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Add Comment | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Swap Template | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+: **Model Validation Report** permissions {.hover tbl-colwidths="[28,18,18,18,18]"}
+
+#### Model Documentation
+
+| Permission | Model Owner | Model Developer | Model Validator | Basic User |
+|---|:---:|:---:|:---:|:---:|
+| Delete Comment | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Read Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Add Block | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Remove Block | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Update Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+| Add Comment | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Swap Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
+: **Model Documentation** permissions {.hover tbl-colwidths="[28,18,18,18,18]"}
+
+#### Model Artifacts
+
+| Permission | Model Owner | Model Developer | Model Validator | Basic User |
+|---|:---:|:---:|:---:|:---:|
+| Manage Attachments | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Add Artifact | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Update Artifact | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Delete Artifact | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
+| Add Comment | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+| Read Artifact | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
+: **Model Artifacts** permissions {.hover tbl-colwidths="[28,18,18,18,18]"}
+
+
+## Role descriptions
+
+### Organization-level roles
+
+| Role | Description |
+|------|-------------|
+| Customer Admin | Full administrative access to the organization. Can manage users, roles, and all settings. |
+| Validator | Can create and manage models, templates, guidelines, and perform validation activities. |
+| Developer | Can create models and view organization settings. Limited administrative access. |
+| Basic User | Minimal permissions. Can only access models they are explicitly added to as stakeholders. |
+
+### Model-level roles
+
+| Role | Description |
+|------|-------------|
+| Model Owner | Full control over a specific model including deletion and stakeholder management. |
+| Model Developer | Can edit model documentation and monitoring. |
+| Model Validator | Can perform validation activities, add findings, and edit validation reports. |
+: Role descriptions {.hover}
diff --git a/site/guide/configuration/manage-permissions.qmd b/site/guide/configuration/manage-permissions.qmd
index 9b8ba585fb..489ff1f9d9 100644
--- a/site/guide/configuration/manage-permissions.qmd
+++ b/site/guide/configuration/manage-permissions.qmd
@@ -11,6 +11,11 @@ aliases:
 
 Permissions dictate user access controls within the {{< var validmind.platform >}}, and are associated with specific roles. Assign granular permissions to roles according to your organization's custom requirements.
 
+{{< var vm.product >}} uses a two-level permission system:
+
+- **Organization-level permissions** control access to platform-wide settings and are assigned through organization roles (Customer Admin, Developer, Validator, Basic User).
+- **Model-level permissions** control what users can do within specific models and are assigned when users are added as stakeholders to a model (Model Owner, Model Developer, Model Validator).
+
 ::: {.attn}
 
 ## Prerequisites
@@ -29,191 +34,15 @@ Please note that the [{{< fa hand >}} Customer Admin]{.bubble} role has the high
 
 {{< include _manage-permissions.qmd >}}
 
-### Default permissions
-
-The following tables outline the default roles and stock permissions provided by {{< var vm.product >}}:  
-
-#### Workflow
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Create Workflow | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Read Workflow | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked />  |
-| Delete Workflow | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled />  |
-| Update Workflow | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled />  |
-: **Workflow** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Role
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Create Role | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Update Role | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Delete Role | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Read Role | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **Role** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Model
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Log Tracking | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Update Model | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Download VR | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Delete Model | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Download Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-| Read Model | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked />| <input type="checkbox" disabled checked /> |
-| Create Model | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-: **Model** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Severity
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Read Severity | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **Severity** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Assessment Option
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Read Assessment Option | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Add Assessment Option | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Delete Assessment Option | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Update Assessment Option | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **Assessment Option** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Guideline
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Read Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Add Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Delete Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Update Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **Guideline** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Business Unit
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Read Business Unit | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Add Business Unit | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Update Business Unit | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Delete Business Unit | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-: **Business Unit** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Status
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Read Status | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Add Status | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-| Update Status | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-| Delete Status | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-: **Status** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Group
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Create Group | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Read Group | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Update Group | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Delete Group | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **Group** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Use Case
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Read Use Case | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Add Use Case | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Update Use Case | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Delete Use Case | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-: **Use Case** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Risk Area
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Read Risk Area | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Update Risk Area | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Delete Risk Area | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Add Risk Area | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-: **Risk Area** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Template
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Duplicate Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Update Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Read Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Create Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Delete Template | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **Template** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### User
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Create User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Update User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Delete User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Read User | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **User** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Organization
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Read Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Update Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled />  |
-| Invite User Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Create Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled />  |
-| Delete Organization | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |<input type="checkbox" disabled />  |
-: **Organization** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Validation Report
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Add Block VR | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked />  |
-| Remove Block VR | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked />  |
-| Update VR | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked />  |
-| Add Comment VR | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked />  |
-| Swap Template VR | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Read VR | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked />  | <input type="checkbox" disabled checked />  |
-| Assess Guideline | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **Validation Report** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Documentation
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Add Block Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-| Remove Block Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-| Update Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-| Add Comment Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-| Swap Template Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> |
-| Read Doc | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-: **Documentation** permissions {.hover tbl-colwidths="[40,20,20,20]"}
-
-#### Artifact
-
-| Permission | Customer Admin | Developer | Validator |
-|---|:---:|:---:|:---:|
-| Delete Artifact | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-| Add Artifact | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Add Artifact Comment | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled checked /> |
-| Update Artifact | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled checked /> |
-| Read Artifact | <input type="checkbox" disabled checked /> | <input type="checkbox" disabled /> | <input type="checkbox" disabled /> |
-: **Artifact** permissions {.hover tbl-colwidths="[40,20,20,20]"}
+## Default permissions
+
+The following tables outline the default roles and permissions provided by {{< var vm.product >}}.
+
+{{< include _permissions-generated.qmd >}}
 
 
 <!-- FOOTNOTES -->
 
 [^1]: [Manage roles](manage-roles.qmd)
 
-[^2]: [Default permissions](#default-permissions)
\ No newline at end of file
+[^2]: [Default permissions](#default-permissions)

From a931aab2f5c40923838e97eb568657f3acfed12a Mon Sep 17 00:00:00 2001
From: Nik Richers <nik@validmind.ai>
Date: Tue, 10 Feb 2026 12:30:42 -0800
Subject: [PATCH 2/4] Add documentation for generate_permissions_docs.py script

---
 README.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/README.md b/README.md
index f87db708af..427c8a3e46 100644
--- a/README.md
+++ b/README.md
@@ -213,6 +213,26 @@ After you pull in the changes, commit them to this repo as part of the release n
 > [!TIP]
 > **Want to author new code samples?** Refer to our [Jupyter Notebook template Quickstart](https://github.com/validmind/validmind-library/tree/main/notebooks/templates)!
 
+### Permissions documentation
+
+The permissions tables in `site/guide/configuration/manage-permissions.qmd` are auto-generated from the backend source files. To regenerate:
+
+```bash
+python scripts/generate_permissions_docs.py
+```
+
+**Requirements:**
+- The `backend` repo must be cloned at `../backend/` relative to this repo
+- Python 3.9+
+
+The script reads from:
+- `backend/src/backend/templates/platform_resources/data.json` — resource and action definitions
+- `backend/src/backend/templates/platform_resources/org_initials.json` — role permission assignments
+
+Output: `site/guide/configuration/_permissions-generated.qmd`
+
+Run this script when backend permission definitions change to keep documentation in sync.
+
 <!-- September 16, 2024: Need to mention rendered Python `.html` docs and generated `.md` test descriptions -->
 
 ## Local development with Kind

From c3b52b8937cd6b83ca8e2eee7f9c9d2c97ee7631 Mon Sep 17 00:00:00 2001
From: Nik Richers <nik@validmind.ai>
Date: Tue, 10 Feb 2026 12:31:59 -0800
Subject: [PATCH 3/4] Add comment pointing to script and README for permissions
 generation

---
 site/guide/configuration/manage-permissions.qmd | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/site/guide/configuration/manage-permissions.qmd b/site/guide/configuration/manage-permissions.qmd
index 489ff1f9d9..3bfa4b054e 100644
--- a/site/guide/configuration/manage-permissions.qmd
+++ b/site/guide/configuration/manage-permissions.qmd
@@ -38,6 +38,11 @@ Please note that the [{{< fa hand >}} Customer Admin]{.bubble} role has the high
 
 The following tables outline the default roles and permissions provided by {{< var vm.product >}}.
 
+<!-- 
+  The permissions tables below are auto-generated from backend source files.
+  To regenerate, run: python scripts/generate_permissions_docs.py
+  See README.md "Permissions documentation" section for details.
+-->
 {{< include _permissions-generated.qmd >}}
 
 

From 580c96933b35726f84e906e0fd5c147df239be4a Mon Sep 17 00:00:00 2001
From: Nik Richers <nik@validmind.ai>
Date: Tue, 10 Feb 2026 12:41:59 -0800
Subject: [PATCH 4/4] Add copyright header to generated permissions file

---
 scripts/generate_permissions_docs.py                | 6 +++++-
 site/guide/configuration/_permissions-generated.qmd | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/scripts/generate_permissions_docs.py b/scripts/generate_permissions_docs.py
index 9e9484fdaa..9e9fd2f029 100644
--- a/scripts/generate_permissions_docs.py
+++ b/scripts/generate_permissions_docs.py
@@ -280,7 +280,11 @@ def main():
     # Generate output
     output = []
     
-    output.append("""<!---
+    output.append("""<!-- Copyright © 2023-2026 ValidMind Inc. All rights reserved.
+Refer to the LICENSE file in the root of this repository for details.
+SPDX-License-Identifier: AGPL-3.0 AND ValidMind Commercial -->
+
+<!---
 This file is auto-generated by scripts/generate_permissions_docs.py
 Do not edit directly. Re-run the script to update.
 
diff --git a/site/guide/configuration/_permissions-generated.qmd b/site/guide/configuration/_permissions-generated.qmd
index f635280b56..48154589e5 100644
--- a/site/guide/configuration/_permissions-generated.qmd
+++ b/site/guide/configuration/_permissions-generated.qmd
@@ -1,3 +1,7 @@
+<!-- Copyright © 2023-2026 ValidMind Inc. All rights reserved.
+Refer to the LICENSE file in the root of this repository for details.
+SPDX-License-Identifier: AGPL-3.0 AND ValidMind Commercial -->
+
 <!---
 This file is auto-generated by scripts/generate_permissions_docs.py
 Do not edit directly. Re-run the script to update.