[Fix] UI - Default Team Settings: Add Missing Permission Options

[yuneng-jiang]

Summary

Problem

The PERMISSION_OPTIONS constant in TeamSSOSettings.tsx was missing /key/aliases, /team/daily/activity, /key/info, and /key/list. Users could not see or select these permissions in the Default Team Settings UI.

Fix

Added the missing permission routes to PERMISSION_OPTIONS. Also added team_member_permissions field to the DefaultTeamSSOParams backend type using the existing KeyManagementRoutes enum, and refactored the settings page layout for clarity.

Testing

• Verified the permission dropdown now shows all expected options including /key/aliases, /team/daily/activity, /key/info, and /key/list

Type

🐛 Bug Fix

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Mar 18, 2026 8:12pm

[greptile-apps]

Greptile Summary

This PR adds four previously-missing routes (/key/info, /key/list, /key/aliases, /team/daily/activity) to the PERMISSION_OPTIONS constant in TeamSSOSettings.tsx, restoring parity between the frontend dropdown and the backend KeyManagementRoutes enum. After this change, all 14 entries in LiteLLMRoutes.key_management_routes (excluding the always-granted /key/health baseline) are represented in the UI.

Key observations:

• The four new routes are valid members of KeyManagementRoutes and are consistent with what the backend's /team/permissions_list endpoint already returns via get_all_available_team_member_permissions().
• The underlying maintenance risk — a static frontend list that must be kept in sync manually with the backend enum — is still present. The backend already exposes GET /team/permissions_list for exactly this purpose; fetching options dynamically at runtime would eliminate future drift.
• The PR description mentions a backend change to DefaultTeamSSOParams (team_member_permissions field), but that field is already present in litellm/types/proxy/management_endpoints/ui_sso.py on the base branch (litellm_yj_march_18_2026), so no backend files are modified in this PR's diff.

Confidence Score: 4/5

• Safe to merge — the change is a minimal, additive UI fix with no backend modifications and no behavioral regressions.
• The diff is 4 lines, all of which are valid route strings that match the backend enum exactly. No logic, state management, or API calls are modified. The only open concern is that the hardcoded list remains a maintenance burden, but this is a pre-existing architectural issue not introduced by this PR.
• No files require special attention.

Important Files Changed

Filename	Overview
ui/litellm-dashboard/src/components/TeamSSOSettings.tsx	Adds 4 missing routes (/key/info, /key/list, /key/aliases, /team/daily/activity) to PERMISSION_OPTIONS, bringing the frontend back in sync with the backend KeyManagementRoutes enum. The change is correct and low-risk, but the static hardcoded list remains a maintenance hazard since the backend already provides a dynamic /team/permissions_list endpoint.

Sequence Diagram

sequenceDiagram
    participant UI as TeamSSOSettings UI
    participant API as LiteLLM Proxy API
    participant DB as Database

    UI->>API: GET /team/default_settings
    API-->>UI: DefaultTeamSSOParams (incl. team_member_permissions)
    UI->>UI: Populate dropdown from hardcoded PERMISSION_OPTIONS

    Note over UI: User selects permissions & saves

    UI->>API: POST /team/update_default_settings (team_member_permissions=[...])
    API->>DB: Persist DefaultTeamSSOParams

    Note over API,DB: On new team creation via SSO

    API->>DB: Create team with default team_member_permissions
    API->>API: get_permissions_for_team_member()
    Note right of API: Always adds BASELINE_TEAM_MEMBER_PERMISSIONS<br>(/key/info + /key/health)
    API-->>API: Final effective permissions = stored + baseline

    Note over UI,API: Alternative (not yet implemented):<br>UI could call GET /team/permissions_list<br>to dynamically populate PERMISSION_OPTIONS

Loading

Comments Outside Diff (1)

1. ui/litellm-dashboard/src/components/TeamSSOSettings.tsx, line 18-33 (link)

   Hardcoded list will drift from backend again

   PERMISSION_OPTIONS is a static frontend array that must now be manually kept in sync with the backend's KeyManagementRoutes enum (in litellm/proxy/_types.py). The backend already exposes a dynamic endpoint — GET /team/permissions_list — that calls TeamMemberPermissionChecks.get_all_available_team_member_permissions() and returns exactly this list at runtime.

   The root cause of this bug (missing routes) was precisely that the hardcoded list fell out of sync. After this fix, the two are aligned again, but the next time a route is added to KeyManagementRoutes the UI will silently lag behind until someone notices and opens another PR.

   Consider fetching the options dynamically in the useEffect hook, similar to how getDefaultTeamSettings is already called:

   // In fetchSettings:
   const [permissionOptions, setPermissionOptions] = useState<string[]>([]);
   // ...
   const permissions = await fetchTeamPermissionsList(accessToken); // calls GET /team/permissions_list
   setPermissionOptions(permissions);

   This would make the dropdown self-updating any time the backend is extended.

_{Last reviewed commit: "Add missing permissi..."}

[greptile-apps]

/key/info in dropdown contradicts "always included" description

/key/info is listed as a selectable option in PERMISSION_OPTIONS (line 29), but the SettingRow description on line 297 explicitly states: "/key/info and /key/health are always included."

This is contradictory: if /key/info is always granted automatically, it should NOT be a user-selectable option (a user might uncheck it, believing it was removed, when in reality it still applies). /key/health is consistently absent from the dropdown — it appears the same treatment was intended for /key/info.

Either:

• Remove /key/info from PERMISSION_OPTIONS (matching the treatment of /key/health and the description), or
• Update the description to clarify that only /key/health is always included, and /key/info is optional.

Suggested change

	"/key/info",
	"/key/list",
	"/key/aliases",
	"/team/daily/activity",
	"/key/generate",
	"/key/update",
	"/key/delete",
	"/key/regenerate",
	"/key/service-account/generate",
	"/key/{key_id}/regenerate",
	"/key/block",
	"/key/unblock",
	"/key/bulk_update",
	"/key/{key_id}/reset_spend",
	"/key/list",
	"/key/aliases",
	"/team/daily/activity",

[greptile-apps]

Unused props userID and userRole in interface

The TeamSSOSettingsProps interface still declares userID: string and userRole: string, but the component destructures only { accessToken } (line 88). Both callers (TeamsView.tsx:339 and OldTeams.tsx:1029) pass these props, but they are silently ignored inside the component.

These were previously used to fetch available models via modelAvailableCall, which was removed in this PR. Consider removing the unused props from the interface (and the corresponding call sites) to keep the public API clean and avoid misleading future readers.

Suggested change

	interface TeamSSOSettingsProps {
	accessToken: string | null;
	userID: string;
	userRole: string;
	}
	interface TeamSSOSettingsProps {
	accessToken: string | null;
	}