Find permission-denied friction in B2B apps

Surface users and accounts repeatedly hitting 403s, role gates, or missing-seat paths so product can fix admin and permission UX.

Published

difficulty intermediate · time to value 5 minutes

Start from this

Show permission-denied friction for the last 14 days: users hitting role gates, accounts with repeated 403s, and the features they were trying to access.

Why this matters

In B2B products, the buyer and user are often different people. Permission errors are not just security events; they are product friction, support tickets, and expansion signals.

What you get

  • Features most often blocked by permissions
  • Accounts where non-admin users repeatedly hit gates
  • Role gaps that suggest better invite/admin UX
  • Follow-up users for CS or product research

Walk through it

You

Where are users getting blocked by permissions?

Agent

I’ll group permission-denied events by account, feature, and role.

Endpoint: POST /v1/projects/:project_id/analytics/query
Exact shape: /v1/openapi.json?path=%2Fv1%2Fprojects%2F%7Bproject_id%7D%2Fanalytics%2Fquery&method=post
Custom HogQL goes in the OpenAPI-defined `query` field.
Concept fields:
  query: "SELECT properties.account_id AS account, properties.feature AS feature, properties.role AS role, properties.required_role AS required_role, count() AS denied_count, count(DISTINCT distinct_id) AS users FROM events WHERE event = 'permission_denied' AND timestamp > now() - INTERVAL 14 DAY GROUP BY account, feature, role, required_role ORDER BY denied_count DESC LIMIT 50"

The output

The agent returns a ranked list and suggests whether the fix is copy, permission defaults, admin nudges, or sales/CS outreach.

Setting it up

Emit permission_denied anywhere the app blocks a user for role or plan reasons. Include both current role and required role.

Variations

  • “Show only paying accounts.”
  • “Find users who got blocked and then churned.”
  • “Draft a product issue for the top blocked workflow.”

Adapt this playbook in your own agent.

Ask your agent to map the starter prompt to your saved signal map, live events, and the current HTTP API before answering.

Set up Agentry in this repo by following https://agentry.sh/install.md. I authorize you to: run its device-code login and save the key to ~/.agentry/credentials.json, read this repo, propose an instrumentation plan for my approval, and edit code after I approve it.

+ Full access
5.5 Extra High
  1. 1. Open your repo in Codex, Claude Code, Cursor etc.
  2. 2. Paste the install prompt.
  3. 3. Your agent reads the install doc and shows you an implementation plan for approval.