RBAC & roles

Control who can create watches, manage API keys, invite teammates, configure SSO, and export drift history — scoped per organization on Team plans.

Shipped: CP-6.1 org RBAC with five membership roles and permission-gated API routes. Bindings can scope access by repository reference (CP-2).

Organization roles

RoleSummary
ownerFull org control — billing, SSO, delete org, all watch operations
adminManage members, watches, keys, integrations; no billing write unless also owner
memberCreate and edit watches, run checks, export drift, CI assert
viewerRead-only console — watches, drift, analytics, audit log view
billing_adminCheckout, invoices, seat changes — no watch delete

Permission matrix

Permissionviewermemberbilling_adminadminowner
watches:read✓✓✓✓✓
watches:write✓✓✓
watches:delete✓✓
drift:export✓✓✓
keys:manage✓✓
org:members:invite✓✓
billing:write✓✓
sso:manage✓
activity:read✓✓✓✓✓

Scoped API keys

Org API keys inherit the creating member’s role defaults at provision time. Keys scoped to org respect the same permission set — use separate keys for CI (ci:assert) vs human automation.

POST /api/orgs/{orgId}/keys
{ "name": "CI coverage gate" }

Inviting teammates

POST /api/orgs/{orgId}/invites
{ "email": "eng@acme.test", "role": "member" }

Requires admin or owner. Seat capacity enforced before invite is sent — see audit log for enforcement events.

Bindings & repo scope

Agent bindings carry an optional repoRef (org/repo@branch) used by remediation approval rules. RBAC gates who can ack incidents and force approval — not which repos a binding monitors.

Effective access

Final access = org role ∩ plan entitlements ∩ API key scopes. Team features (audit export, SSO, seats) require Team or Enterprise plan regardless of role.

Related

  • Enterprise SSO
  • Audit logs
  • API keys
  • Agent bindings