Last updated

Roles and permissions

Roles and permissions are used to configure role-based access control (RBAC) for your projects.

A permission is a key that grants access to some piece of functionality. A role is a unique set of permissions.

You can assign the following two types of roles to users:

  • Organization roles: Manages access to the organization.
  • Project roles: Manages access to the project and its resources.

A combination of organization and project roles defines a user's access.

Organization roles

When users are invited to an organization, they are assigned to one of the following organization roles:

  • viewer: Has read-only permission and restricted access.
  • billing: Can manage billing of the organization.
  • member: Can see other members of the organization. Cannot change access controls, invite people, see feedback, or manage organization settings.
  • owner: Has permission to everything, including the ability to invite people, change access controls, and review feedback. Has admin access to all organization projects by default.

Users with an owner organization role can also do the following from the Admin panel:

  • invite users to the organization
  • update other users' organization roles
  • view and update organization settings
  • view and update organization SSO and login details
  • view and update organization API keys
  • view and create teams
  • assign users to teams

Most users in your organization should have the member role, giving them access to the project panel only. From the project panel members can select projects and their access to those projects is determined by their project roles. For specific project functionality access, project roles are assigned to teams of users.

Project roles

Project roles are assigned to teams for each specific project in the redocly.yaml configuration file.

The following is a list of available project roles:

  • none: grants no access permissions
  • read: grants read-only access to files or pages; Pro and Enterprise only
  • triage: grants read access to files or pages; also grants the ability to see logs and other information; for contributors who need to proactively manage issues, discussions, and pull requests but do not need write access; Enterprise only
  • write: grants read and write access to files or pages; also the ability to comment on reviews; for contributors who actively push updates to your project; Enterprise only
  • maintain: grants all access permissions except the ability to manage users and permissions; for contributors who need to manage the repository but do not need access to sensitive data or destructive actions; Enterprise only
  • admin: grants all access permissions; for people who need full access to the project, including sensitive data and destructive actions like managing security or deleting a repository

When users become members of a team, they are granted access based on the roles assigned to the team.

Resources