canva-enterprise-rbac

# Canva Enterprise RBAC ## Overview Manage access control for Canva Connect API integrations at the organization level. The Canva API uses OAuth scopes (not roles) — your application layer implements RBAC on top of Canva's scope system. ## Canva Enterprise Requirements | Feature | Canva Free/Pro | Canva Enterprise | |---------|----------------|------------------| | Design Create/Read | Yes | Yes | | Export Designs | Yes | Yes | | Asset Upload | Yes | Yes | | Brand Templates | No | Yes | | Autofill API | No | Yes | | Folders (advanced) | Limited | Yes | | Comments API | Yes | Yes | **Key:** Autofill and brand template APIs require the user to be a member of a Canva Enterprise organization. ## Application-Level RBAC ```typescript // Your application controls what each user role can do with Canva interface CanvaRole { name: string; scopes: string[]; // OAuth scopes to request allowedOperations: string[]; // Application-level operations } const CANVA_ROLES: Record<string, CanvaRole> = { viewer: { name: 'Viewer', scopes: ['design:meta:read'], allowedOperations: ['listDesigns', 'getDesign'], }, creator: { name: 'Creator', scopes: ['design:meta:read', 'design:content:write', 'design:content:read', 'asset:write', 'asset:read'], allowedOperations: ['listDesigns', 'getDesign', 'createDesign', 'exportDesign', 'uploadAsset'], }, admin: { name: 'Admin', scopes: [ 'design:meta:read', 'design:content:write', 'design:con...