Permission Layers
Filesystem Roles
Every user’s access starts with their filesystem role. See Filesystems for how membership works.
The workspace has exactly one owner per filesystem. The
owner role cannot be overridden by document or section permissions.
Document-Level Overrides
By default, a document inherits permissions from its filesystem. You can detach a document and configure it independently:- Set a default role for the document (overrides the filesystem role for that document)
- Grant specific users a higher or lower role on just that document
/hr/compensation-bands doc inside a generally-readable filesystem.
Document-level permissions are configured in the web app under a document’s settings.
Section-Level Overrides
Individual sections within a document can have their own permission override:
Section permissions can only be set on feature branches, not on
main. This ensures access control changes go through the normal review process before taking effect.
AI Access
Every section also has an AI access level, separate from the team-facing permission. This controls what agents see when they read via MCP. The effective permission an agent gets is:min(user_permission, ai_access).
Common use case: Set
AI access: none on sections that contain API keys, internal metrics, or personal information. Your team can still see the content in the web UI, but it’s filtered from all MCP responses.
Permission Resolution Order
When Moxn resolves a user’s effective permission for a section:- Owner — always
edit, cannot be overridden - Document user grant — if the document has been detached and this user has an explicit grant
- Document default role — the document’s configured default (if detached)
- Section override — if a section has
defaultPermissionset - Filesystem role — the user’s membership role in the filesystem
Setting Permissions in the Web App
Filesystem Membership
Go to Settings → Filesystems → select a filesystem → Members tab. From here you can add members, change their roles, and set the tenant default role (the fallback for workspace members not explicitly added).Document-Level Overrides
Open a document in the web editor and click the Settings icon (gear) in the top-right toolbar. The Permissions tab shows whether the document is inheriting from its filesystem or has been detached with its own defaults and per-user grants.Section-Level Overrides
Section permissions are only available on feature branches — you cannot set them onmain. To configure section access:
- Switch to a feature branch (or create one)
- Open the section you want to restrict
- Click the ⋯ menu on the section → Section Settings
- Set Permission (team access) and AI Access independently
main after the branch is merged.
A Practical Example
Suppose you have an engineering filesystem where most members haveedit access:
- Engineers can read and edit all runbooks
- The performance reviews doc is only accessible to HR members
- Even if an agent were granted access to that doc, the compensation section would never appear in MCP responses