RBAC & roles
Control who can create watches, manage API keys, invite teammates, configure SSO, and export drift history — scoped per organization on Team plans.
Shipped: CP-6.1 org RBAC with five membership roles and permission-gated API routes. Bindings can scope access by repository reference (CP-2).
Organization roles
| Role | Summary |
|---|---|
owner | Full org control — billing, SSO, delete org, all watch operations |
admin | Manage members, watches, keys, integrations; no billing write unless also owner |
member | Create and edit watches, run checks, export drift, CI assert |
viewer | Read-only console — watches, drift, analytics, audit log view |
billing_admin | Checkout, invoices, seat changes — no watch delete |
Permission matrix
| Permission | viewer | member | billing_admin | admin | owner |
|---|---|---|---|---|---|
watches:read | ✓ | ✓ | ✓ | ✓ | ✓ |
watches:write | ✓ | ✓ | ✓ | ||
watches:delete | ✓ | ✓ | |||
drift:export | ✓ | ✓ | ✓ | ||
keys:manage | ✓ | ✓ | |||
org:members:invite | ✓ | ✓ | |||
billing:write | ✓ | ✓ | |||
sso:manage | ✓ | ||||
activity:read | ✓ | ✓ | ✓ | ✓ | ✓ |
Scoped API keys
Org API keys inherit the creating member’s role defaults at provision time. Keys scoped to org respect the same permission set — use separate keys for CI (ci:assert) vs human automation.
POST /api/orgs/{orgId}/keys
{ "name": "CI coverage gate" }
Inviting teammates
POST /api/orgs/{orgId}/invites
{ "email": "eng@acme.test", "role": "member" }
Requires admin or owner. Seat capacity enforced before invite is sent — see audit log for enforcement events.
Bindings & repo scope
Agent bindings carry an optional repoRef (org/repo@branch) used by remediation approval rules. RBAC gates who can ack incidents and force approval — not which repos a binding monitors.
Effective access
Final access = org role ∩ plan entitlements ∩ API key scopes. Team features (audit export, SSO, seats) require Team or Enterprise plan regardless of role.