Download all
Docs · Account · Roles

Roles and permissions

Projects have four roles. New invitees join as Viewer by default so the project owner upgrades them as needed.

Permission matrix

RoleCanCannot
OwnerEverything including delete project plus change billing.Nothing is off limits.
AdminManage members, rules, keys, webhooks. Read all checks plus users.Delete project or change billing.
MemberCreate and edit rules, manage keys, view all checks.Manage members or billing.
ViewerRead only access to checks, users, rules.Create, edit or delete anything.

Enforcement

Roles are enforced at the API layer. Mutation endpoints return 403 with error.code = "viewer_readonly" when the role doesn't permit the action. In the dashboard, mutation controls are hidden rather than just disabled for viewers.