Why this matters
In B2B products, the buyer and user are often different people. Permission errors are not just security events; they are product friction, support tickets, and expansion signals.
What you get
- Features most often blocked by permissions
- Accounts where non-admin users repeatedly hit gates
- Role gaps that suggest better invite/admin UX
- Follow-up users for CS or product research
Walk through it
You
Where are users getting blocked by permissions?
Agent
I’ll group permission-denied events by account, feature, and role.
POST /v1/projects/:project_id/analytics/query {
project_id: "default",
hogql: "SELECT properties.account_id AS account, properties.feature AS feature, properties.role AS role, properties.required_role AS required_role, count() AS denied_count, count(DISTINCT distinct_id) AS users FROM events WHERE event = 'permission_denied' AND timestamp > now() - INTERVAL 14 DAY GROUP BY account, feature, role, required_role ORDER BY denied_count DESC LIMIT 50"
}The output
The agent returns a ranked list and suggests whether the fix is copy, permission defaults, admin nudges, or sales/CS outreach.
Setting it up
Emit permission_denied anywhere the app blocks a user for role or plan reasons. Include both current role and required role.
Variations
- “Show only paying accounts.”
- “Find users who got blocked and then churned.”
- “Draft a product issue for the top blocked workflow.”