Permission and Access Errors

Last updated March 20, 2026

Overview

LoopString uses role-based access control (RBAC) to determine what each team member can do on a shared device. Permission errors occur when you attempt an action your current role does not allow, or when a Firestore security rule blocks the request.

Team access features require a Business or Enterprise subscription. If you are on a lower-tier plan, the Team Members section will display an upgrade prompt rather than granting access to invite or manage members.

The Three Device Roles

Every user who has been added to a device holds one of three roles: Viewer, Operator, or Admin.

Viewer can view the dashboard only. Viewers cannot toggle actuators, change setpoints, deploy flows, edit device configuration, manage the team, or make billing changes.

Operator can view the dashboard, toggle actuators, and change setpoints. Operators cannot deploy flows, edit device configuration, manage the team, or make billing changes.

Admin has full access. Admins can view the dashboard, control actuators, change setpoints, deploy flows, edit device configuration, manage the team, and manage billing.

The device owner is always treated as an Admin regardless of the member record.

Common Permission Errors

Cannot toggle actuators or change setpoints

You are a Viewer on this device. Controlling hardware requires at least Operator access. Ask an Admin on the device to upgrade your role.

Cannot deploy a flow from the Configurator

Deploying a Node-RED flow requires Admin access. If the Deploy button is disabled or produces a permission error, your current role is Viewer or Operator. Contact the device owner or an Admin and ask to be promoted to Admin.

Cannot edit device configuration or Configurator settings

Editing device config (sensor calibration, alarm thresholds, scheduling rules, PID settings) requires Admin access. Viewers and Operators can read configuration but cannot save changes.

Cannot invite or remove team members

Managing the team list requires both Admin role and a Business or Enterprise subscription. If you see an upgrade prompt in the Team Members panel, the account owner needs to upgrade the subscription. If you are already on Business or Enterprise but see a permission error, verify that your membership record shows Admin.

Cannot change billing or subscription settings

Only users with Admin role can access billing settings. Viewers and Operators do not see billing controls.

Firestore "permission-denied" error in the browser console

This usually means one of the following:

  • You are not logged in. Sign out and sign back in to refresh your authentication token.
  • Your membership record was recently updated but the client has a stale cache. Reload the page to force the member list to refresh (the cache expires after two minutes).
  • You are trying to write to a collection that only the server is allowed to write to — for example, activity log entries, sensor baselines, or duty history. These are written exclusively by Cloud Functions and cannot be created from the browser.

How to Check Your Current Role

  1. Open the device you want to inspect.
  2. Navigate to Settings, then select the Team tab.
  3. Your name will appear in the members list with a role badge: Viewer, Operator, or Admin.

If your name does not appear in the members list at all, you have no membership record for this device and all permission checks will default to no access. Ask a device Admin to send you a fresh invite.

If the Team tab is not visible, either the account is not on a Business or Enterprise plan, or you do not have the required subscription tier to access RBAC features.

How to Request a Role Upgrade

Only device Admins and the device owner can change roles. Send them the following information:

  • Your email address as registered in LoopString
  • The device you need access to
  • The role you are requesting and why (for example, Operator to control actuators during testing, Admin to deploy a new flow)

The Admin opens Settings > Team, locates your member row, and updates your role. The change takes effect for you within two minutes as the member cache refreshes, or immediately if you reload the page.

Invite Troubleshooting

Invite link expired. Invites are valid for seven days from the time they are sent. If your invite has expired, ask an Admin to send a new one.

Did not receive invite email. Check your spam folder. The invite email comes from the Firebase notification address associated with the LoopString project. If you still cannot find it, ask the Admin to cancel the old invite and resend.

Accepted invite but still cannot access the device. After accepting, reload the application. Your membership record is written to Firestore during the acceptance flow, but the local React Query cache may not yet reflect it. A reload forces a fresh fetch.

Subscription Tier Requirements

Team access with role-based permissions is available on Business and Enterprise plans. On Free, Hobby, Maker, and Pro plans, devices are single-user only. To add team members, upgrade the account subscription at Settings > Billing, or contact support.

When to Contact Support

Contact support if:

  • You are an Admin and cannot write to the members collection even after reloading.
  • A Firestore permission-denied error appears consistently for an action that your role should allow.
  • An invite was accepted but the member still does not appear after 24 hours.
  • You believe your role was changed without your knowledge.

Include the device ID, your user email, the specific action that failed, and any error codes visible in the browser console.

permissionsrbacaccess-control
Previous
Billing and Payment Issues