simstudioai · minijeong-log · May 21, 2026 · May 21, 2026 · May 21, 2026 · May 21, 2026
diff --git a/apps/sim/app/api/credentials/route.ts b/apps/sim/app/api/credentials/route.ts
@@ -1,6 +1,6 @@
 import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import { db } from '@sim/db'
-import { account, credential, credentialMember, workspace } from '@sim/db/schema'
+import { account, credential, credentialMember, permissions, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { getPostgresErrorCode } from '@sim/utils/errors'
 import { generateId } from '@sim/utils/id'
@@ -535,17 +535,30 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       })
 
       if ((type === 'env_workspace' || type === 'service_account') && workspaceRow?.ownerId) {
-        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
+        const [workspaceUserIds, wsPermissionRows] = await Promise.all([
+          getWorkspaceMemberUserIds(workspaceId),
+          db
+            .select({ userId: permissions.userId, permissionType: permissions.permissionType })
+            .from(permissions)
+            .where(
+              and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))
+            ),
+        ])
+        const wsPermissionByUser = new Map(
+          wsPermissionRows.map((row) => [row.userId, row.permissionType])
+        )
         if (workspaceUserIds.length > 0) {
           for (const memberUserId of workspaceUserIds) {
+            const wsPermission = wsPermissionByUser.get(memberUserId)
+            const isAdmin =
+              memberUserId === workspaceRow.ownerId ||
+              memberUserId === session.user.id ||
+              wsPermission === 'admin'
             await tx.insert(credentialMember).values({
               id: generateId(),
               credentialId,
               userId: memberUserId,
-              role:
-                memberUserId === workspaceRow.ownerId || memberUserId === session.user.id
-                  ? 'admin'
-                  : 'member',
+              role: isAdmin ? 'admin' : 'member',
               status: 'active',
               joinedAt: now,
               invitedBy: session.user.id,

diff --git a/apps/sim/lib/credentials/environment.ts b/apps/sim/lib/credentials/environment.ts
@@ -64,10 +64,20 @@ export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
 async function ensureWorkspaceCredentialMemberships(
   credentialId: string,
   memberUserIds: string[],
-  ownerUserId: string
+  ownerUserId: string,
+  workspaceId: string
 ) {
   if (!memberUserIds.length) return
 
+  const workspacePermissionRows = await db
+    .select({ userId: permissions.userId, permissionType: permissions.permissionType })
+    .from(permissions)
+    .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId)))
+
+  const wsPermissionByUser = new Map(
+    workspacePermissionRows.map((row) => [row.userId, row.permissionType])
+  )
+
   const existingMemberships = await db
     .select({
       id: credentialMember.id,
@@ -87,7 +97,8 @@ async function ensureWorkspaceCredentialMemberships(
   const now = new Date()
 
   for (const memberUserId of memberUserIds) {
-    const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'
+    const wsPermission = wsPermissionByUser.get(memberUserId)
+    const targetRole = memberUserId === ownerUserId || wsPermission === 'admin' ? 'admin' : 'member'
     const existing = byUserId.get(memberUserId)
     if (existing) {
       if (existing.status === 'revoked') {
@@ -182,7 +193,12 @@ export async function syncWorkspaceEnvCredentials(params: {
   }
 
   for (const credentialId of credentialIdsToEnsureMembership) {
-    await ensureWorkspaceCredentialMemberships(credentialId, memberUserIds, workspaceRow.ownerId)
+    await ensureWorkspaceCredentialMemberships(
+      credentialId,
+      memberUserIds,
+      workspaceRow.ownerId,
+      workspaceId
+    )
   }
 
   if (normalizedKeys.length > 0) {
@@ -253,19 +269,32 @@ export async function createWorkspaceEnvCredentials(params: {
 
   if (createdIds.length === 0 || memberUserIds.length === 0) return
 
+  const wsPermissionRows = await db
+    .select({ userId: permissions.userId, permissionType: permissions.permissionType })
+    .from(permissions)
+    .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId)))
+
+  const wsPermissionByUser = new Map(
+    wsPermissionRows.map((row) => [row.userId, row.permissionType])
+  )
+
   // Bulk-insert memberships for all new credentials × all workspace members in one query
   const membershipValues = createdIds.flatMap((credentialId) =>
-    memberUserIds.map((memberUserId) => ({
-      id: generateId(),
-      credentialId,
-      userId: memberUserId,
-      role: (memberUserId === ownerUserId ? 'admin' : 'member') as 'admin' | 'member',
-      status: 'active' as const,
-      joinedAt: now,
-      invitedBy: ownerUserId,
-      createdAt: now,
-      updatedAt: now,
-    }))
+    memberUserIds.map((memberUserId) => {
+      const wsPermission = wsPermissionByUser.get(memberUserId)
+      const isAdmin = memberUserId === ownerUserId || wsPermission === 'admin'
+      return {
+        id: generateId(),
+        credentialId,
+        userId: memberUserId,
+        role: (isAdmin ? 'admin' : 'member') as 'admin' | 'member',
+        status: 'active' as const,
+        joinedAt: now,
+        invitedBy: ownerUserId,
+        createdAt: now,
+        updatedAt: now,
+      }
+    })
   )
 
   await db.insert(credentialMember).values(membershipValues).onConflictDoNothing()