Roles
Every user has one or more roles that regulate which actions they can execute. We have roles geared toward managers, developers, operations, security, CI, and more.
How roles are applied
Roles don’t grant access by themselves. A role only takes effect when it’s attached to a user through a grant at a specific resource (NRN).
If you’re looking for how to assign roles or manage grants, see Grants and permissions.
Management roles
- Admin
- Insights viewer
| Role | ID | Slug | Description |
|---|---|---|---|
| Admin | 696188987 | admin | - Create and destroy resources and invite users with other roles. - Manage the organization, account, or namespace. - Create, modify, and delete applications and their scopes. - Admin roles automatically include Developer permissions. |
| Insights viewer | 724959298 | insights-viewer | - View reports and insights about the organization. |
Developer-centric roles
- Developer
- Member
| Role | ID | Slug | Description |
|---|---|---|---|
| Developer | 700317756 | developer | - Manage applications in a namespace. - Create applications, parameters, deployments. - Can create builds, releases, scopes, and start them. - View logs, performance, metadata, and troubleshoot. - Cannot make changes at the organization or account level. - Includes Member permissions by default. |
| Member | 704380989 | member | - Read-only access to resources. - Can view organization, account, namespace, and application information. - Included by default in all roles. - Cannot make changes. |
DevOps, infrastructure, security, and FinOps-centric roles
- Ops
- SecOps
- CI
| Role | ID | Slug | Description |
|---|---|---|---|
| Ops | 708509758 | ops | - Configure the infrastructure for the organization, account, namespace, or application. - Includes Member permissions by default. |
| SecOps | 712638527 | secops | - Configure security-related features for the organization, account, namespace, or application. - Includes Member permissions. - Includes permission to read secret values. |
Machine user roles
These roles are intended for machine users and API keys.
- Secrets Reader
- Agent
- CI
| Role | ID | Slug | Description |
|---|---|---|---|
| Secrets Reader | 679739447 | secrets-reader | - Role for client environment to read secret parameters. |
| Agent | 618135592 | controlplane:agent | - Role to be used by nullplatform agents. |
| CI | 1855672260 | organization:machine:ci | - Machine user that performs continuous integration in an organization. - Create builds, assets, releases, and metadata. - Includes Member permissions by default. |