What does default-deny mean here?

It means access starts closed. A capability has to be explicitly granted for an action to run. Anything not granted is refused — so a new or undeclared surface is locked by default rather than accidentally open.

How do capabilities relate to roles and plans?

Roles and plans both resolve into sets of capabilities. The capability is the actual permission an action checks. Roles say who you are; plans say what your tier includes; capabilities are what gets verified.

Fine-grained capabilities

Last updated 2026-06-14

Definition

Fine-grained capabilities are the named permissions that sit under roles and plans. Each action Quri can take — manage connectors, view a waitlist, run a write — checks for a specific capability. The model is default-deny: anything not explicitly granted is refused. So an undeclared surface is locked by default, never quietly left open.

How to do this in Quri

Assign a role or plan that grants the capabilities a user or workspace needs.
Let each Quri action check for its required capability before it runs.
Trust default-deny — anything not granted is refused, not allowed.
Adjust roles or plan in /app/settings when someone needs more.

Frequently asked

What does default-deny mean here?: It means access starts closed. A capability has to be explicitly granted for an action to run. Anything not granted is refused — so a new or undeclared surface is locked by default rather than accidentally open.
How do capabilities relate to roles and plans?: Roles and plans both resolve into sets of capabilities. The capability is the actual permission an action checks. Roles say who you are; plans say what your tier includes; capabilities are what gets verified.

Fine-grained capabilities

Definition

How to do this in Quri

Frequently asked

Related terms