From 132d691cbf983f60293c7423de0077fb7c97e0af Mon Sep 17 00:00:00 2001
From: Csaba Tuncsik <csaba@n8n.io>
Date: Mon, 4 Dec 2023 10:02:54 +0100
Subject: [PATCH] fix(editor): Replace isInstanceOwner checks with scopes where
 applicable (#7858)

Co-authored-by: Alex Grozav <alex@grozav.com>
---
 .../editor-ui/src/api/workflow-webhooks.ts    | 16 ++++++------
 .../components/MainHeader/WorkflowDetails.vue | 13 ++++------
 .../editor-ui/src/components/MainSidebar.vue  |  2 +-
 .../components/MainSidebarSourceControl.vue   | 14 +++++-----
 .../EventDestinationCard.ee.vue               |  6 ++---
 .../EventDestinationSettingsModal.ee.vue      | 19 +++++++-------
 .../src/components/WorkflowSettings.vue       |  9 ++++---
 .../MainSidebarSourceControl.test.ts          | 10 +++----
 .../src/components/banners/V1Banner.vue       |  8 +++---
 packages/editor-ui/src/mixins/nodeHelpers.ts  | 10 ++++---
 .../src/rbac/__tests__/permissions.test.ts    |  3 +++
 .../checks/__tests__/isInstanceOwner.test.ts  | 26 +++++++++++++++++++
 packages/editor-ui/src/rbac/checks/index.ts   |  1 +
 .../src/rbac/checks/isInstanceOwner.ts        |  5 ++++
 packages/editor-ui/src/rbac/permissions.ts    |  2 ++
 .../editor-ui/src/stores/cloudPlan.store.ts   |  5 ++--
 .../src/stores/externalSecrets.ee.store.ts    |  6 ++---
 packages/editor-ui/src/stores/ui.store.ts     |  6 ++---
 packages/editor-ui/src/stores/users.store.ts  |  2 +-
 packages/editor-ui/src/types/rbac.ts          |  3 +++
 .../src/views/SettingsLogStreamingView.vue    | 12 ++++-----
 21 files changed, 111 insertions(+), 67 deletions(-)
 create mode 100644 packages/editor-ui/src/rbac/checks/__tests__/isInstanceOwner.test.ts
 create mode 100644 packages/editor-ui/src/rbac/checks/isInstanceOwner.ts

diff --git a/packages/editor-ui/src/api/workflow-webhooks.ts b/packages/editor-ui/src/api/workflow-webhooks.ts
index 30fea1314b..369730085f 100644
--- a/packages/editor-ui/src/api/workflow-webhooks.ts
+++ b/packages/editor-ui/src/api/workflow-webhooks.ts
@@ -7,25 +7,25 @@ const CONTACT_EMAIL_SUBMISSION_ENDPOINT = '/accounts/onboarding';
 
 export async function fetchNextOnboardingPrompt(
 	instanceId: string,
-	currentUer: IUser,
+	currentUser: IUser,
 ): Promise<IOnboardingCallPrompt> {
 	return get(N8N_API_BASE_URL, ONBOARDING_PROMPTS_ENDPOINT, {
 		instance_id: instanceId,
-		user_id: `${instanceId}#${currentUer.id}`,
-		is_owner: currentUer.isOwner,
-		survey_results: currentUer.personalizationAnswers,
+		user_id: `${instanceId}#${currentUser.id}`,
+		is_owner: currentUser.isOwner,
+		survey_results: currentUser.personalizationAnswers,
 	});
 }
 
 export async function applyForOnboardingCall(
 	instanceId: string,
-	currentUer: IUser,
+	currentUser: IUser,
 	email: string,
 ): Promise<string> {
 	try {
 		const response = await post(N8N_API_BASE_URL, ONBOARDING_PROMPTS_ENDPOINT, {
 			instance_id: instanceId,
-			user_id: `${instanceId}#${currentUer.id}`,
+			user_id: `${instanceId}#${currentUser.id}`,
 			email,
 		});
 		return response;
@@ -36,13 +36,13 @@ export async function applyForOnboardingCall(
 
 export async function submitEmailOnSignup(
 	instanceId: string,
-	currentUer: IUser,
+	currentUser: IUser,
 	email: string | undefined,
 	agree: boolean,
 ): Promise<string> {
 	return post(N8N_API_BASE_URL, CONTACT_EMAIL_SUBMISSION_ENDPOINT, {
 		instance_id: instanceId,
-		user_id: `${instanceId}#${currentUer.id}`,
+		user_id: `${instanceId}#${currentUser.id}`,
 		email,
 		agree,
 	});
diff --git a/packages/editor-ui/src/components/MainHeader/WorkflowDetails.vue b/packages/editor-ui/src/components/MainHeader/WorkflowDetails.vue
index b8507b5e84..c4f164cec1 100644
--- a/packages/editor-ui/src/components/MainHeader/WorkflowDetails.vue
+++ b/packages/editor-ui/src/components/MainHeader/WorkflowDetails.vue
@@ -184,6 +184,7 @@ import { getWorkflowPermissions } from '@/permissions';
 import { createEventBus } from 'n8n-design-system/utils';
 import { nodeViewEventBus } from '@/event-bus';
 import { genericHelpers } from '@/mixins/genericHelpers';
+import { hasPermission } from '@/rbac/permissions';
 
 const hasChanged = (prev: string[], curr: string[]) => {
 	if (prev.length !== curr.length) {
@@ -247,10 +248,7 @@ export default defineComponent({
 		currentUser(): IUser | null {
 			return this.usersStore.currentUser;
 		},
-		currentUserIsOwner(): boolean {
-			return this.usersStore.currentUser?.isOwner ?? false;
-		},
-		contextBasedTranslationKeys(): NestedRecord<string> {
+		contextBasedTranslationKeys() {
 			return this.uiStore.contextBasedTranslationKeys;
 		},
 		isWorkflowActive(): boolean {
@@ -298,7 +296,7 @@ export default defineComponent({
 			].includes(this.$route.name || '');
 		},
 		workflowPermissions(): IPermissions {
-			return getWorkflowPermissions(this.usersStore.currentUser, this.workflow);
+			return getWorkflowPermissions(this.currentUser, this.workflow);
 		},
 		workflowMenuItems(): Array<{}> {
 			const actions = [
@@ -330,7 +328,7 @@ export default defineComponent({
 				);
 			}
 
-			if (this.currentUserIsOwner) {
+			if (hasPermission(['rbac'], { rbac: { scope: 'sourceControl:push' } })) {
 				actions.push({
 					id: WORKFLOW_MENU_ACTIONS.PUSH,
 					label: this.$locale.baseText('menuActions.push'),
@@ -338,8 +336,7 @@ export default defineComponent({
 						!this.sourceControlStore.isEnterpriseSourceControlEnabled ||
 						!this.onWorkflowPage ||
 						this.onExecutionsTab ||
-						this.readOnlyEnv ||
-						!this.currentUserIsOwner,
+						this.readOnlyEnv,
 				});
 			}
 
diff --git a/packages/editor-ui/src/components/MainSidebar.vue b/packages/editor-ui/src/components/MainSidebar.vue
index 1ba1996a8c..384452311f 100644
--- a/packages/editor-ui/src/components/MainSidebar.vue
+++ b/packages/editor-ui/src/components/MainSidebar.vue
@@ -266,7 +266,7 @@ export default defineComponent({
 					position: 'bottom',
 					label: 'Admin Panel',
 					icon: 'home',
-					available: this.settingsStore.isCloudDeployment && this.usersStore.isInstanceOwner,
+					available: this.settingsStore.isCloudDeployment && hasPermission(['instanceOwner']),
 				},
 				{
 					id: 'settings',
diff --git a/packages/editor-ui/src/components/MainSidebarSourceControl.vue b/packages/editor-ui/src/components/MainSidebarSourceControl.vue
index bbab868a33..b3a4b424d5 100644
--- a/packages/editor-ui/src/components/MainSidebarSourceControl.vue
+++ b/packages/editor-ui/src/components/MainSidebarSourceControl.vue
@@ -3,12 +3,11 @@ import { computed, nextTick, ref } from 'vue';
 import { useRouter } from 'vue-router';
 import { createEventBus } from 'n8n-design-system/utils';
 import { useI18n } from '@/composables/useI18n';
-import { useMessage } from '@/composables/useMessage';
+import { hasPermission } from '@/rbac/permissions';
 import { useToast } from '@/composables/useToast';
 import { useLoadingService } from '@/composables/useLoadingService';
 import { useUIStore } from '@/stores/ui.store';
 import { useSourceControlStore } from '@/stores/sourceControl.store';
-import { useUsersStore } from '@/stores/users.store';
 import { SOURCE_CONTROL_PULL_MODAL_KEY, SOURCE_CONTROL_PUSH_MODAL_KEY, VIEWS } from '@/constants';
 import type { SourceControlAggregatedFile } from '../Interface';
 import { sourceControlEventBus } from '@/event-bus/source-control';
@@ -24,9 +23,7 @@ const responseStatuses = {
 const router = useRouter();
 const loadingService = useLoadingService();
 const uiStore = useUIStore();
-const usersStore = useUsersStore();
 const sourceControlStore = useSourceControlStore();
-const message = useMessage();
 const toast = useToast();
 const i18n = useI18n();
 
@@ -36,8 +33,11 @@ const tooltipOpenDelay = ref(300);
 const currentBranch = computed(() => {
 	return sourceControlStore.preferences.branchName;
 });
-const isInstanceOwner = computed(() => usersStore.isInstanceOwner);
-const setupButtonTooltipPlacement = computed(() => (props.isCollapsed ? 'right' : 'top'));
+const sourceControlAvailable = computed(
+	() =>
+		sourceControlStore.isEnterpriseSourceControlEnabled &&
+		hasPermission(['rbac'], { rbac: { scope: 'sourceControl:manage' } }),
+);
 
 async function pushWorkfolder() {
 	loadingService.startLoading();
@@ -125,7 +125,7 @@ const goToSourceControlSetup = async () => {
 
 <template>
 	<div
-		v-if="sourceControlStore.isEnterpriseSourceControlEnabled && isInstanceOwner"
+		v-if="sourceControlAvailable"
 		:class="{
 			[$style.sync]: true,
 			[$style.collapsed]: isCollapsed,
diff --git a/packages/editor-ui/src/components/SettingsLogStreaming/EventDestinationCard.ee.vue b/packages/editor-ui/src/components/SettingsLogStreaming/EventDestinationCard.ee.vue
index 03b3a6d048..d72aaa960a 100644
--- a/packages/editor-ui/src/components/SettingsLogStreaming/EventDestinationCard.ee.vue
+++ b/packages/editor-ui/src/components/SettingsLogStreaming/EventDestinationCard.ee.vue
@@ -25,7 +25,7 @@
 
 				<el-switch
 					class="mr-s"
-					:disabled="!isInstanceOwner"
+					:disabled="readonly"
 					:modelValue="nodeParameters.enabled"
 					@update:modelValue="onEnabledSwitched($event, destination.id)"
 					:title="
@@ -84,7 +84,7 @@ export default defineComponent({
 			required: true,
 			default: deepCopy(defaultMessageEventBusDestinationOptions),
 		},
-		isInstanceOwner: Boolean,
+		readonly: Boolean,
 	},
 	mounted() {
 		this.nodeParameters = Object.assign(
@@ -105,7 +105,7 @@ export default defineComponent({
 					value: DESTINATION_LIST_ITEM_ACTIONS.OPEN,
 				},
 			];
-			if (this.isInstanceOwner) {
+			if (!this.readonly) {
 				actions.push({
 					label: this.$locale.baseText('workflows.item.delete'),
 					value: DESTINATION_LIST_ITEM_ACTIONS.DELETE,
diff --git a/packages/editor-ui/src/components/SettingsLogStreaming/EventDestinationSettingsModal.ee.vue b/packages/editor-ui/src/components/SettingsLogStreaming/EventDestinationSettingsModal.ee.vue
index db9b1d6e61..73f844f6f8 100644
--- a/packages/editor-ui/src/components/SettingsLogStreaming/EventDestinationSettingsModal.ee.vue
+++ b/packages/editor-ui/src/components/SettingsLogStreaming/EventDestinationSettingsModal.ee.vue
@@ -45,7 +45,7 @@
 							@click="sendTestEvent"
 							data-test-id="destination-test-button"
 						/>
-						<template v-if="isInstanceOwner">
+						<template v-if="canManageLogStreaming">
 							<n8n-icon-button
 								v-if="nodeParameters && hasOnceBeenSaved"
 								:title="$locale.baseText('settings.log-streaming.delete')"
@@ -117,7 +117,7 @@
 								:parameters="webhookDescription"
 								:hideDelete="true"
 								:nodeValues="nodeParameters"
-								:isReadOnly="!isInstanceOwner"
+								:isReadOnly="!canManageLogStreaming"
 								path=""
 								@valueChanged="valueChanged"
 							/>
@@ -127,7 +127,7 @@
 								:parameters="syslogDescription"
 								:hideDelete="true"
 								:nodeValues="nodeParameters"
-								:isReadOnly="!isInstanceOwner"
+								:isReadOnly="!canManageLogStreaming"
 								path=""
 								@valueChanged="valueChanged"
 							/>
@@ -137,7 +137,7 @@
 								:parameters="sentryDescription"
 								:hideDelete="true"
 								:nodeValues="nodeParameters"
-								:isReadOnly="!isInstanceOwner"
+								:isReadOnly="!canManageLogStreaming"
 								path=""
 								@valueChanged="valueChanged"
 							/>
@@ -156,7 +156,7 @@
 								:destinationId="destination.id"
 								@input="onInput"
 								@change="valueChanged"
-								:readonly="!isInstanceOwner"
+								:readonly="!canManageLogStreaming"
 							/>
 						</div>
 					</div>
@@ -194,7 +194,7 @@ import { LOG_STREAM_MODAL_KEY, MODAL_CONFIRM } from '@/constants';
 import Modal from '@/components/Modal.vue';
 import { useMessage } from '@/composables/useMessage';
 import { useUIStore } from '@/stores/ui.store';
-import { useUsersStore } from '@/stores/users.store';
+import { hasPermission } from '@/rbac/permissions';
 import { destinationToFakeINodeUi } from '@/components/SettingsLogStreaming/Helpers.ee';
 import {
 	webhookModalDescription,
@@ -252,12 +252,11 @@ export default defineComponent({
 			headerLabel: this.destination.label,
 			testMessageSent: false,
 			testMessageResult: false,
-			isInstanceOwner: false,
 			LOG_STREAM_MODAL_KEY,
 		};
 	},
 	computed: {
-		...mapStores(useUIStore, useUsersStore, useLogStreamingStore, useNDVStore, useWorkflowsStore),
+		...mapStores(useUIStore, useLogStreamingStore, useNDVStore, useWorkflowsStore),
 		typeSelectOptions(): Array<{ value: string; label: BaseTextKey }> {
 			const options: Array<{ value: string; label: BaseTextKey }> = [];
 			for (const t of Object.values(MessageEventBusDestinationTypeNames)) {
@@ -306,9 +305,11 @@ export default defineComponent({
 			}
 			return items;
 		},
+		canManageLogStreaming(): boolean {
+			return hasPermission(['rbac'], { rbac: { scope: 'logStreaming:manage' } });
+		},
 	},
 	mounted() {
-		this.isInstanceOwner = this.usersStore.currentUser?.globalRole?.name === 'owner';
 		this.setupNode(
 			Object.assign(deepCopy(defaultMessageEventBusDestinationOptions), this.destination),
 		);
diff --git a/packages/editor-ui/src/components/WorkflowSettings.vue b/packages/editor-ui/src/components/WorkflowSettings.vue
index e6d8cd19e7..75c62cdf4f 100644
--- a/packages/editor-ui/src/components/WorkflowSettings.vue
+++ b/packages/editor-ui/src/components/WorkflowSettings.vue
@@ -381,6 +381,8 @@ import { useRootStore } from '@/stores/n8nRoot.store';
 import { useWorkflowsEEStore } from '@/stores/workflows.ee.store';
 import { useWorkflowsStore } from '@/stores/workflows.store';
 import { createEventBus } from 'n8n-design-system/utils';
+import type { IPermissions } from '@/permissions';
+import { getWorkflowPermissions } from '@/permissions';
 
 export default defineComponent({
 	name: 'WorkflowSettings',
@@ -479,6 +481,9 @@ export default defineComponent({
 
 			return this.workflowsEEStore.getWorkflowOwnerName(`${this.workflowId}`, fallback);
 		},
+		workflowPermissions(): IPermissions {
+			return getWorkflowPermissions(this.currentUser, this.workflow);
+		},
 	},
 	async mounted() {
 		this.executionTimeout = this.rootStore.executionTimeout;
@@ -584,8 +589,6 @@ export default defineComponent({
 			};
 		},
 		async loadWorkflowCallerPolicyOptions() {
-			const currentUserIsOwner = this.workflow.ownedBy?.id === this.currentUser?.id;
-
 			this.workflowCallerPolicyOptions = [
 				{
 					key: 'none',
@@ -597,7 +600,7 @@ export default defineComponent({
 						'workflowSettings.callerPolicy.options.workflowsFromSameOwner',
 						{
 							interpolate: {
-								owner: currentUserIsOwner
+								owner: this.workflowPermissions.isOwner
 									? this.$locale.baseText(
 											'workflowSettings.callerPolicy.options.workflowsFromSameOwner.owner',
 									  )
diff --git a/packages/editor-ui/src/components/__tests__/MainSidebarSourceControl.test.ts b/packages/editor-ui/src/components/__tests__/MainSidebarSourceControl.test.ts
index f6be1abc45..5c0423c33a 100644
--- a/packages/editor-ui/src/components/__tests__/MainSidebarSourceControl.test.ts
+++ b/packages/editor-ui/src/components/__tests__/MainSidebarSourceControl.test.ts
@@ -8,13 +8,13 @@ import { SETTINGS_STORE_DEFAULT_STATE } from '@/__tests__/utils';
 import MainSidebarSourceControl from '@/components/MainSidebarSourceControl.vue';
 import { useSourceControlStore } from '@/stores/sourceControl.store';
 import { useUIStore } from '@/stores/ui.store';
-import { useUsersStore } from '@/stores/users.store';
+import { useRBACStore } from '@/stores/rbac.store';
 import { createComponentRenderer } from '@/__tests__/render';
 
 let pinia: ReturnType<typeof createTestingPinia>;
 let sourceControlStore: ReturnType<typeof useSourceControlStore>;
 let uiStore: ReturnType<typeof useUIStore>;
-let usersStore: ReturnType<typeof useUsersStore>;
+let rbacStore: ReturnType<typeof useRBACStore>;
 
 const renderComponent = createComponentRenderer(MainSidebarSourceControl);
 
@@ -28,8 +28,8 @@ describe('MainSidebarSourceControl', () => {
 			},
 		});
 
-		usersStore = useUsersStore(pinia);
-		vi.spyOn(usersStore, 'isInstanceOwner', 'get').mockReturnValue(true);
+		rbacStore = useRBACStore(pinia);
+		vi.spyOn(rbacStore, 'hasScope').mockReturnValue(true);
 
 		sourceControlStore = useSourceControlStore();
 		vi.spyOn(sourceControlStore, 'isEnterpriseSourceControlEnabled', 'get').mockReturnValue(true);
@@ -38,7 +38,7 @@ describe('MainSidebarSourceControl', () => {
 	});
 
 	it('should render nothing when not instance owner', async () => {
-		vi.spyOn(usersStore, 'isInstanceOwner', 'get').mockReturnValue(false);
+		vi.spyOn(rbacStore, 'hasScope').mockReturnValue(false);
 		const { container } = renderComponent({ pinia, props: { isCollapsed: false } });
 		expect(container).toBeEmptyDOMElement();
 	});
diff --git a/packages/editor-ui/src/components/banners/V1Banner.vue b/packages/editor-ui/src/components/banners/V1Banner.vue
index e146911d2c..c6feb04c3b 100644
--- a/packages/editor-ui/src/components/banners/V1Banner.vue
+++ b/packages/editor-ui/src/components/banners/V1Banner.vue
@@ -1,15 +1,17 @@
 <script lang="ts" setup>
+import { computed } from 'vue';
 import BaseBanner from '@/components/banners/BaseBanner.vue';
 import { i18n as locale } from '@/plugins/i18n';
-import { useUsersStore } from '@/stores/users.store';
+import { hasPermission } from '@/rbac/permissions';
 import { useUIStore } from '@/stores/ui.store';
 
 const uiStore = useUIStore();
-const usersStore = useUsersStore();
 
 async function dismissPermanently() {
 	await uiStore.dismissBanner('V1', 'permanent');
 }
+
+const hasOwnerPermission = computed(() => hasPermission(['instanceOwner']));
 </script>
 
 <template>
@@ -17,7 +19,7 @@ async function dismissPermanently() {
 		<template #mainContent>
 			<span v-html="locale.baseText('banners.v1.message')"></span>
 			<a
-				v-if="usersStore.isInstanceOwner"
+				v-if="hasOwnerPermission"
 				:class="$style.link"
 				@click="dismissPermanently"
 				data-test-id="banner-confirm-v1"
diff --git a/packages/editor-ui/src/mixins/nodeHelpers.ts b/packages/editor-ui/src/mixins/nodeHelpers.ts
index 3c0999a04a..578f2959bf 100644
--- a/packages/editor-ui/src/mixins/nodeHelpers.ts
+++ b/packages/editor-ui/src/mixins/nodeHelpers.ts
@@ -38,12 +38,13 @@ import { isObject } from '@/utils/objectUtils';
 import { getCredentialPermissions } from '@/permissions';
 import { mapStores } from 'pinia';
 import { useSettingsStore } from '@/stores/settings.store';
-import { useUsersStore } from '@/stores/users.store';
+import { hasPermission } from '@/rbac/permissions';
 import { useWorkflowsStore } from '@/stores/workflows.store';
 import { useRootStore } from '@/stores/n8nRoot.store';
 import { useNodeTypesStore } from '@/stores/nodeTypes.store';
 import { useCredentialsStore } from '@/stores/credentials.store';
 import { defineComponent } from 'vue';
+import { useUsersStore } from '@/stores/users.store';
 
 export const nodeHelpers = defineComponent({
 	computed: {
@@ -53,7 +54,6 @@ export const nodeHelpers = defineComponent({
 			useNodeTypesStore,
 			useSettingsStore,
 			useWorkflowsStore,
-			useUsersStore,
 			useRootStore,
 		),
 	},
@@ -475,11 +475,13 @@ export const nodeHelpers = defineComponent({
 					}
 
 					if (nameMatches.length === 0) {
-						const isInstanceOwner = this.usersStore.isInstanceOwner;
 						const isCredentialUsedInWorkflow =
 							this.workflowsStore.usedCredentials?.[selectedCredentials.id as string];
 
-						if (!isCredentialUsedInWorkflow && !isInstanceOwner) {
+						if (
+							!isCredentialUsedInWorkflow &&
+							!hasPermission(['rbac'], { rbac: { scope: 'credential:read' } })
+						) {
 							foundIssues[credentialTypeDescription.name] = [
 								this.$locale.baseText('nodeIssues.credentials.doNotExist', {
 									interpolate: { name: selectedCredentials.name, type: credentialDisplayName },
diff --git a/packages/editor-ui/src/rbac/__tests__/permissions.test.ts b/packages/editor-ui/src/rbac/__tests__/permissions.test.ts
index 204ace46fa..01ff6b9bf1 100644
--- a/packages/editor-ui/src/rbac/__tests__/permissions.test.ts
+++ b/packages/editor-ui/src/rbac/__tests__/permissions.test.ts
@@ -6,6 +6,7 @@ vi.mock('@/rbac/checks', () => ({
 	hasScope: vi.fn(),
 	isGuest: vi.fn(),
 	isDefaultUser: vi.fn(),
+	isInstanceOwner: vi.fn(),
 	isAuthenticated: vi.fn(),
 	isEnterpriseFeatureEnabled: vi.fn(),
 	isValid: vi.fn(),
@@ -17,6 +18,7 @@ describe('hasPermission()', () => {
 		vi.mocked(checks.hasScope).mockReturnValue(true);
 		vi.mocked(checks.isGuest).mockReturnValue(true);
 		vi.mocked(checks.isDefaultUser).mockReturnValue(true);
+		vi.mocked(checks.isInstanceOwner).mockReturnValue(true);
 		vi.mocked(checks.isAuthenticated).mockReturnValue(true);
 		vi.mocked(checks.isEnterpriseFeatureEnabled).mockReturnValue(true);
 		vi.mocked(checks.isValid).mockReturnValue(true);
@@ -30,6 +32,7 @@ describe('hasPermission()', () => {
 				'rbac',
 				'role',
 				'defaultUser',
+				'instanceOwner',
 			]),
 		).toBe(true);
 	});
diff --git a/packages/editor-ui/src/rbac/checks/__tests__/isInstanceOwner.test.ts b/packages/editor-ui/src/rbac/checks/__tests__/isInstanceOwner.test.ts
new file mode 100644
index 0000000000..b63e55bb06
--- /dev/null
+++ b/packages/editor-ui/src/rbac/checks/__tests__/isInstanceOwner.test.ts
@@ -0,0 +1,26 @@
+import { useUsersStore } from '@/stores/users.store';
+import { isInstanceOwner } from '@/rbac/checks/isInstanceOwner';
+
+vi.mock('@/stores/users.store', () => ({
+	useUsersStore: vi.fn(),
+}));
+
+describe('Checks', () => {
+	describe('isInstanceOwner()', () => {
+		it('should return false if user not logged in', () => {
+			vi.mocked(useUsersStore).mockReturnValue({ isInstanceOwner: false } as ReturnType<
+				typeof useUsersStore
+			>);
+
+			expect(isInstanceOwner()).toBe(false);
+		});
+
+		it('should return true if user is default user', () => {
+			vi.mocked(useUsersStore).mockReturnValue({ isInstanceOwner: true } as unknown as ReturnType<
+				typeof useUsersStore
+			>);
+
+			expect(isInstanceOwner()).toBe(true);
+		});
+	});
+});
diff --git a/packages/editor-ui/src/rbac/checks/index.ts b/packages/editor-ui/src/rbac/checks/index.ts
index 17088ed8b1..a6f6f580f4 100644
--- a/packages/editor-ui/src/rbac/checks/index.ts
+++ b/packages/editor-ui/src/rbac/checks/index.ts
@@ -2,6 +2,7 @@ export * from './hasRole';
 export * from './hasScope';
 export * from './isAuthenticated';
 export * from './isDefaultUser';
+export * from './isInstanceOwner';
 export * from './isEnterpriseFeatureEnabled';
 export * from './isGuest';
 export * from './isValid';
diff --git a/packages/editor-ui/src/rbac/checks/isInstanceOwner.ts b/packages/editor-ui/src/rbac/checks/isInstanceOwner.ts
new file mode 100644
index 0000000000..fe52d9933a
--- /dev/null
+++ b/packages/editor-ui/src/rbac/checks/isInstanceOwner.ts
@@ -0,0 +1,5 @@
+import { useUsersStore } from '@/stores/users.store';
+import type { DefaultUserMiddlewareOptions, RBACPermissionCheck } from '@/types/rbac';
+
+export const isInstanceOwner: RBACPermissionCheck<DefaultUserMiddlewareOptions> = () =>
+	useUsersStore().isInstanceOwner;
diff --git a/packages/editor-ui/src/rbac/permissions.ts b/packages/editor-ui/src/rbac/permissions.ts
index f132ce8049..3ceb244287 100644
--- a/packages/editor-ui/src/rbac/permissions.ts
+++ b/packages/editor-ui/src/rbac/permissions.ts
@@ -3,6 +3,7 @@ import {
 	hasScope,
 	isAuthenticated,
 	isDefaultUser,
+	isInstanceOwner,
 	isEnterpriseFeatureEnabled,
 	isGuest,
 	isValid,
@@ -17,6 +18,7 @@ export const permissions: Permissions = {
 	authenticated: isAuthenticated,
 	custom: isValid,
 	defaultUser: isDefaultUser,
+	instanceOwner: isInstanceOwner,
 	enterprise: isEnterpriseFeatureEnabled,
 	guest: isGuest,
 	rbac: hasScope,
diff --git a/packages/editor-ui/src/stores/cloudPlan.store.ts b/packages/editor-ui/src/stores/cloudPlan.store.ts
index 2278ad4116..06f58aa3a5 100644
--- a/packages/editor-ui/src/stores/cloudPlan.store.ts
+++ b/packages/editor-ui/src/stores/cloudPlan.store.ts
@@ -8,6 +8,7 @@ import { useUsersStore } from '@/stores/users.store';
 import { getAdminPanelLoginCode, getCurrentPlan, getCurrentUsage } from '@/api/cloudPlans';
 import { DateTime } from 'luxon';
 import { CLOUD_TRIAL_CHECK_INTERVAL, STORES } from '@/constants';
+import { hasPermission } from '@/rbac/permissions';
 
 const DEFAULT_STATE: CloudPlanState = {
 	initialized: false,
@@ -55,13 +56,13 @@ export const useCloudPlanStore = defineStore(STORES.CLOUD_PLAN, () => {
 
 	const hasCloudPlan = computed(() => {
 		const cloudUserId = settingsStore.settings.n8nMetadata?.userId;
-		return usersStore.isInstanceOwner && settingsStore.isCloudDeployment && cloudUserId;
+		return hasPermission(['instanceOwner']) && settingsStore.isCloudDeployment && cloudUserId;
 	});
 
 	const getUserCloudAccount = async () => {
 		if (!hasCloudPlan.value) throw new Error('User does not have a cloud plan');
 		try {
-			if (useUsersStore().isInstanceOwner) {
+			if (hasPermission(['instanceOwner'])) {
 				await usersStore.fetchUserCloudAccount();
 				if (!usersStore.currentUserCloudInfo?.confirmed && !userIsTrialing.value) {
 					useUIStore().pushBannerToStack('EMAIL_CONFIRMATION');
diff --git a/packages/editor-ui/src/stores/externalSecrets.ee.store.ts b/packages/editor-ui/src/stores/externalSecrets.ee.store.ts
index e646cb0ed9..3039c37cac 100644
--- a/packages/editor-ui/src/stores/externalSecrets.ee.store.ts
+++ b/packages/editor-ui/src/stores/externalSecrets.ee.store.ts
@@ -5,13 +5,13 @@ import { useRootStore } from '@/stores/n8nRoot.store';
 import { useSettingsStore } from '@/stores/settings.store';
 import * as externalSecretsApi from '@/api/externalSecrets.ee';
 import { connectProvider } from '@/api/externalSecrets.ee';
-import { useUsersStore } from '@/stores/users.store';
+import { useRBACStore } from '@/stores/rbac.store';
 import type { ExternalSecretsProvider } from '@/Interface';
 
 export const useExternalSecretsStore = defineStore('externalSecrets', () => {
 	const rootStore = useRootStore();
 	const settingsStore = useSettingsStore();
-	const usersStore = useUsersStore();
+	const rbacStore = useRBACStore();
 
 	const state = reactive({
 		providers: [] as ExternalSecretsProvider[],
@@ -65,7 +65,7 @@ export const useExternalSecretsStore = defineStore('externalSecrets', () => {
 	});
 
 	async function fetchAllSecrets() {
-		if (usersStore.isInstanceOwner) {
+		if (rbacStore.hasScope('externalSecret:list')) {
 			try {
 				state.secrets = await externalSecretsApi.getExternalSecrets(rootStore.getRestApiContext);
 			} catch (error) {
diff --git a/packages/editor-ui/src/stores/ui.store.ts b/packages/editor-ui/src/stores/ui.store.ts
index 36812f0a2e..05f6cbe5c8 100644
--- a/packages/editor-ui/src/stores/ui.store.ts
+++ b/packages/editor-ui/src/stores/ui.store.ts
@@ -60,7 +60,7 @@ import { getCurlToJson } from '@/api/curlHelper';
 import { useCloudPlanStore } from '@/stores/cloudPlan.store';
 import { useWorkflowsStore } from '@/stores/workflows.store';
 import { useSettingsStore } from '@/stores/settings.store';
-import { useUsersStore } from '@/stores/users.store';
+import { hasPermission } from '@/rbac/permissions';
 import { useTelemetryStore } from '@/stores/telemetry.store';
 import { dismissBannerPermanently } from '@/api/ui';
 import type { BannerName } from 'n8n-workflow';
@@ -374,9 +374,7 @@ export const useUIStore = defineStore(STORES.UI, {
 
 				const searchParams = new URLSearchParams();
 
-				const isOwner = useUsersStore().isInstanceOwner;
-
-				if (deploymentType === 'cloud' && isOwner) {
+				if (deploymentType === 'cloud' && hasPermission(['instanceOwner'])) {
 					const adminPanelHost = new URL(window.location.href).host.split('.').slice(1).join('.');
 					const { code } = await useCloudPlanStore().getAutoLoginCode();
 					linkUrl = `https://${adminPanelHost}/login`;
diff --git a/packages/editor-ui/src/stores/users.store.ts b/packages/editor-ui/src/stores/users.store.ts
index bfc2e22c07..135d85bd37 100644
--- a/packages/editor-ui/src/stores/users.store.ts
+++ b/packages/editor-ui/src/stores/users.store.ts
@@ -137,7 +137,7 @@ export const useUsersStore = defineStore(STORES.USERS, {
 						: undefined,
 					isDefaultUser: isDefaultUser(updatedUser),
 					isPendingUser: isPendingUser(updatedUser),
-					isOwner: updatedUser.globalRole?.name === ROLE.Owner,
+					isOwner: isInstanceOwner(updatedUser),
 				};
 
 				this.users = {
diff --git a/packages/editor-ui/src/types/rbac.ts b/packages/editor-ui/src/types/rbac.ts
index 169a7a0a73..4fbff27728 100644
--- a/packages/editor-ui/src/types/rbac.ts
+++ b/packages/editor-ui/src/types/rbac.ts
@@ -5,6 +5,7 @@ import type { IRole } from '@/Interface';
 export type AuthenticatedPermissionOptions = {};
 export type CustomPermissionOptions<C = {}> = RBACPermissionCheck<C>;
 export type DefaultUserMiddlewareOptions = {};
+export type InstanceOwnerMiddlewareOptions = {};
 export type EnterprisePermissionOptions = {
 	feature?: EnterpriseEditionFeature | EnterpriseEditionFeature[];
 	mode?: 'oneOf' | 'allOf';
@@ -23,6 +24,7 @@ export type PermissionType =
 	| 'authenticated'
 	| 'custom'
 	| 'defaultUser'
+	| 'instanceOwner'
 	| 'enterprise'
 	| 'guest'
 	| 'rbac'
@@ -31,6 +33,7 @@ export type PermissionTypeOptions = {
 	authenticated: AuthenticatedPermissionOptions;
 	custom: CustomPermissionOptions;
 	defaultUser: DefaultUserMiddlewareOptions;
+	instanceOwner: InstanceOwnerMiddlewareOptions;
 	enterprise: EnterprisePermissionOptions;
 	guest: GuestPermissionOptions;
 	rbac: RBACPermissionOptions;
diff --git a/packages/editor-ui/src/views/SettingsLogStreamingView.vue b/packages/editor-ui/src/views/SettingsLogStreamingView.vue
index f2e3d975a6..e1925a6045 100644
--- a/packages/editor-ui/src/views/SettingsLogStreamingView.vue
+++ b/packages/editor-ui/src/views/SettingsLogStreamingView.vue
@@ -28,14 +28,14 @@
 						<event-destination-card
 							:destination="logStreamingStore.items[item.key]?.destination"
 							:eventBus="eventBus"
-							:isInstanceOwner="isInstanceOwner"
+							:readonly="!canManageLogStreaming"
 							@remove="onRemove(logStreamingStore.items[item.key]?.destination?.id)"
 							@edit="onEdit(logStreamingStore.items[item.key]?.destination?.id)"
 						/>
 					</el-col>
 				</el-row>
 				<div class="mt-m text-right">
-					<n8n-button v-if="isInstanceOwner" size="large" @click="addDestination">
+					<n8n-button v-if="canManageLogStreaming" size="large" @click="addDestination">
 						{{ $locale.baseText(`settings.log-streaming.add`) }}
 					</n8n-button>
 				</div>
@@ -77,7 +77,7 @@ import { defineComponent, nextTick } from 'vue';
 import { mapStores } from 'pinia';
 import { v4 as uuid } from 'uuid';
 import { useWorkflowsStore } from '@/stores/workflows.store';
-import { useUsersStore } from '@/stores/users.store';
+import { hasPermission } from '@/rbac/permissions';
 import { useCredentialsStore } from '@/stores/credentials.store';
 import { useLogStreamingStore } from '@/stores/logStreaming.store';
 import { useSettingsStore } from '@/stores/settings.store';
@@ -100,13 +100,11 @@ export default defineComponent({
 			destinations: Array<MessageEventBusDestinationOptions>,
 			disableLicense: false,
 			allDestinations: [] as MessageEventBusDestinationOptions[],
-			isInstanceOwner: false,
 		};
 	},
 	async mounted() {
 		if (!this.isLicensed) return;
 
-		this.isInstanceOwner = this.usersStore.currentUser?.globalRole?.name === 'owner';
 		// Prepare credentialsStore so modals can pick up credentials
 		await this.credentialsStore.fetchCredentialTypes(false);
 		await this.credentialsStore.fetchAllCredentials();
@@ -141,7 +139,6 @@ export default defineComponent({
 			useLogStreamingStore,
 			useWorkflowsStore,
 			useUIStore,
-			useUsersStore,
 			useCredentialsStore,
 		),
 		sortedItemKeysByLabel() {
@@ -158,6 +155,9 @@ export default defineComponent({
 			if (this.disableLicense) return false;
 			return this.settingsStore.isEnterpriseFeatureEnabled(EnterpriseEditionFeature.LogStreaming);
 		},
+		canManageLogStreaming(): boolean {
+			return hasPermission(['rbac'], { rbac: { scope: 'logStreaming:manage' } });
+		},
 	},
 	methods: {
 		onDestinationWasSaved() {