Account and permission boundaries
Theseus has three account domains. They protect cloud services, a runtime target, and an individual App runtime respectively. They do not replace one another.
Why this matters
Many “I am signed in but still do not have permission” problems come from treating all three accounts as one identity. First decide whether the action belongs to the editor, the runtime target, or an App runtime page. That tells you which sign-in and administrator you need.
When you will encounter it
- signing in to Qixin for AI, source control, online licensing, or other cloud services;
- connecting to a local or remote Runtime target for Run, Debug, Deploy, or Stop;
- opening a runtime page as an operator and accessing role-restricted Pages or Widgets;
- creating target accounts, App users, or site roles;
- using the same username at different sign-in points and seeing different permissions.
The three account domains
| Account | Scope | Primary purpose | Does not automatically grant |
|---|---|---|---|
| Editor Qixin account | The desktop editor and Qixin cloud services | AI entitlement, source control, online licensing, and other cloud capabilities | Runtime target administration or App runtime roles |
| Runtime target account | One RuntimeHost target | View and run deployed Apps; administrators deploy, debug, and manage the target | Editor cloud services or roles inside an App |
| App user | The runtime pages of one App | Sign in to the App and access Pages and Widgets according to roles | App editing, deployment, or Runtime target management |
Editor Qixin account
Local App Hub, editor, and authoring work do not require a Qixin sign-in. Qixin sign-in is for cloud services that require account entitlement. It does not automatically create a Runtime target account or make you an operator inside an App.
If a Runtime target administrator has linked your Qixin identity to a target account, the desktop can reuse that authorization when connecting to the target. The permissions are still separate; linking only removes an extra password prompt.
Runtime target account
Each Runtime target has its own accounts and sessions. After switching targets, use the connection state of the new target.
| Target role | Capabilities |
|---|---|
| User | Sign in to the runtime-only UI, view deployed Apps, open runtime pages, and run an already deployed App |
| Admin | Includes User capabilities and can deploy, Debug, Materialize, Stop, write a License, change runtime settings, and manage target accounts |
Run from the desktop normally prepares and deploys the current runtime package first, so starting a new desktop version on a target requires Admin access. User access is designed for starting an App that is already deployed from the runtime-only UI.
App user
App users and roles belong to one App. They are used to:
- restrict which Pages a person can open;
- control which Widgets are visible to a role on a runtime page;
- switch operator identity on a shared terminal.
An App user cannot enter the editor and cannot deploy, stop, or administer a Runtime target. The Admin role inside an App and the Admin role on a target share a name but have completely different scopes.
Page and Widget roles are runtime-page access controls. They do not replace emergency stops, safety relays, safety controllers, equipment protection, or server-side operation authorization.
Questions to ask when access is denied
- Am I using a cloud service, operating a Runtime target, or opening an App runtime page?
- Which Runtime target is selected in the Navbar?
- Is the active target session a User or Admin session?
- Which App user is signed in on the runtime page, and which roles does it have?
- Does this operation intentionally require a higher permission or explicit approval?
Common misconceptions
- Signing in to Qixin is not the same as signing in to a Runtime target. Cloud authorization does not automatically become machine-runtime permission.
- Target Admin is not App Admin. The former manages a runtime target; the latter is only a role within one App.
- An App user cannot deploy or Stop an App. It only controls access inside the App runtime.
- Matching usernames do not imply the same identity. The three account domains can each contain a user with the same name.
- A session on one Runtime target does not connect you to another target. Every target keeps its own accounts and state.
- Hiding a button does not make a machine safe. Critical actions still need equipment, runtime, and engineering safeguards.
Next step
- Follow Sign-in, App Hub, and editor entry for the first sign-in at each entry point.
- Create App roles and verify Page and Widget visibility with Users and permissions.
- Read App management and License management before administering a Runtime target or License.