simstudioai · minijeong-log · May 21, 2026 · May 21, 2026 · May 21, 2026 · May 21, 2026
diff --git a/apps/sim/app/api/credentials/route.ts b/apps/sim/app/api/credentials/route.ts
@@ -1,6 +1,6 @@
 import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import { db } from '@sim/db'
-import { account, credential, credentialMember, workspace } from '@sim/db/schema'
+import { account, credential, credentialMember, permissions, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { getPostgresErrorCode } from '@sim/utils/errors'
 import { generateId } from '@sim/utils/id'
@@ -22,7 +22,6 @@ import {
   normalizeAtlassianDomain,
   validateAtlassianServiceAccount,
 } from '@/lib/credentials/atlassian-service-account'
-import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
 import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { getServiceConfigByProviderId } from '@/lib/oauth'
 import {
@@ -535,17 +534,30 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       })
 
       if ((type === 'env_workspace' || type === 'service_account') && workspaceRow?.ownerId) {
-        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
+        const wsPermissionRows = await db
+          .select({ userId: permissions.userId, permissionType: permissions.permissionType })
+          .from(permissions)
+          .where(
+            and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))
+          )
+        const wsPermissionByUser = new Map(
+          wsPermissionRows.map((row) => [row.userId, row.permissionType])
+        )
+        const workspaceUserIds = Array.from(
+          new Set([workspaceRow.ownerId, ...wsPermissionRows.map((row) => row.userId)])
+        )
         if (workspaceUserIds.length > 0) {
           for (const memberUserId of workspaceUserIds) {
+            const wsPermission = wsPermissionByUser.get(memberUserId)
+            const isAdmin =
+              memberUserId === workspaceRow.ownerId ||
+              memberUserId === session.user.id ||
+              wsPermission === 'admin'
             await tx.insert(credentialMember).values({
               id: generateId(),
               credentialId,
               userId: memberUserId,
-              role:
-                memberUserId === workspaceRow.ownerId || memberUserId === session.user.id
-                  ? 'admin'
-                  : 'member',
+              role: isAdmin ? 'admin' : 'member',
               status: 'active',
               joinedAt: now,
               invitedBy: session.user.id,

diff --git a/apps/sim/lib/credentials/environment.ts b/apps/sim/lib/credentials/environment.ts
@@ -64,7 +64,8 @@ export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
 async function ensureWorkspaceCredentialMemberships(
   credentialId: string,
   memberUserIds: string[],
-  ownerUserId: string
+  ownerUserId: string,
+  wsPermissionByUser: Map<string, string>
 ) {
   if (!memberUserIds.length) return
 
@@ -87,7 +88,8 @@ async function ensureWorkspaceCredentialMemberships(
   const now = new Date()
 
   for (const memberUserId of memberUserIds) {
-    const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'
+    const wsPermission = wsPermissionByUser.get(memberUserId)
+    const targetRole = memberUserId === ownerUserId || wsPermission === 'admin' ? 'admin' : 'member'
     const existing = byUserId.get(memberUserId)
     if (existing) {
       if (existing.status === 'revoked') {
@@ -126,17 +128,27 @@ export async function syncWorkspaceEnvCredentials(params: {
   actingUserId: string
 }) {
   const { workspaceId, envKeys, actingUserId } = params
-  const [[workspaceRow], memberUserIds] = await Promise.all([
+  const [[workspaceRow], wsPermissionRows] = await Promise.all([
     db
       .select({ ownerId: workspace.ownerId })
       .from(workspace)
       .where(eq(workspace.id, workspaceId))
       .limit(1),
-    getWorkspaceMemberUserIds(workspaceId),
+    db
+      .select({ userId: permissions.userId, permissionType: permissions.permissionType })
+      .from(permissions)
+      .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
   ])
 
   if (!workspaceRow) return
 
+  const wsPermissionByUser = new Map(
+    wsPermissionRows.map((row) => [row.userId, row.permissionType])
+  )
+  const memberUserIds = Array.from(
+    new Set([workspaceRow.ownerId, ...wsPermissionRows.map((row) => row.userId)])
+  )
+
   const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
   const existingCredentials = await db
     .select({
@@ -182,7 +194,12 @@ export async function syncWorkspaceEnvCredentials(params: {
   }
 
   for (const credentialId of credentialIdsToEnsureMembership) {
-    await ensureWorkspaceCredentialMemberships(credentialId, memberUserIds, workspaceRow.ownerId)
+    await ensureWorkspaceCredentialMemberships(
+      credentialId,
+      memberUserIds,
+      workspaceRow.ownerId,
+      wsPermissionByUser
+    )
   }
 
   if (normalizedKeys.length > 0) {
@@ -216,18 +233,27 @@ export async function createWorkspaceEnvCredentials(params: {
   const keys = Array.from(new Set(newKeys.filter(Boolean)))
   if (keys.length === 0) return
 
-  const [[workspaceRow], memberUserIds] = await Promise.all([
+  const [[workspaceRow], wsPermissionRows] = await Promise.all([
     db
       .select({ ownerId: workspace.ownerId })
       .from(workspace)
       .where(eq(workspace.id, workspaceId))
       .limit(1),
-    getWorkspaceMemberUserIds(workspaceId),
+    db
+      .select({ userId: permissions.userId, permissionType: permissions.permissionType })
+      .from(permissions)
+      .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
   ])
 
   if (!workspaceRow) return
 
   const ownerUserId = workspaceRow.ownerId
+  const wsPermissionByUser = new Map(
+    wsPermissionRows.map((row) => [row.userId, row.permissionType])
+  )
+  const memberUserIds = Array.from(
+    new Set([ownerUserId, ...wsPermissionRows.map((row) => row.userId)])
+  )
   const now = new Date()
   const createdIds: string[] = []
 
@@ -255,17 +281,21 @@ export async function createWorkspaceEnvCredentials(params: {
 
   // Bulk-insert memberships for all new credentials × all workspace members in one query
   const membershipValues = createdIds.flatMap((credentialId) =>
-    memberUserIds.map((memberUserId) => ({
-      id: generateId(),
-      credentialId,
-      userId: memberUserId,
-      role: (memberUserId === ownerUserId ? 'admin' : 'member') as 'admin' | 'member',
-      status: 'active' as const,
-      joinedAt: now,
-      invitedBy: ownerUserId,
-      createdAt: now,
-      updatedAt: now,
-    }))
+    memberUserIds.map((memberUserId) => {
+      const wsPermission = wsPermissionByUser.get(memberUserId)
+      const isAdmin = memberUserId === ownerUserId || wsPermission === 'admin'
+      return {
+        id: generateId(),
+        credentialId,
+        userId: memberUserId,
+        role: (isAdmin ? 'admin' : 'member') as 'admin' | 'member',
+        status: 'active' as const,
+        joinedAt: now,
+        invitedBy: ownerUserId,
+        createdAt: now,
+        updatedAt: now,
+      }
+    })
   )
 
   await db.insert(credentialMember).values(membershipValues).onConflictDoNothing()