Roles & Permissions (RBAC)

Controlinfra uses Role-Based Access Control (RBAC) to manage what users can do within an organization. Every member is assigned a role that determines their permissions.

Built-in Roles

Role	Description
Owner	Full access. Can manage billing, delete the org, and transfer ownership. Only one owner per org.
Admin	Can manage members, integrations, repositories, and settings. Cannot delete the org or manage billing.
Member	Can create and run scans, view drifts, and manage repositories. Cannot change org settings or members.
Viewer	Read-only access. Can view scans, drifts, and repositories but cannot modify anything.

Permission Matrix

Permission	Owner	Admin	Member	Viewer
View repositories & scans	Yes	Yes	Yes	Yes
Create & edit repositories	Yes	Yes	Yes	No
Trigger & cancel scans	Yes	Yes	Yes	No
View & manage drifts	Yes	Yes	Yes	Read only
Guardrails (create, deploy)	Yes	Yes	No	No
Manage integrations	Yes	Yes	No	No
Manage members & invitations	Yes	Yes	No	No
View audit logs	Yes	Yes	No	No
Manage org settings	Yes	Yes	No	No
Manage billing	Yes	No	No	No
Delete organization	Yes	No	No	No

Custom Roles Team+

Teams on the Team plan or higher can create custom roles with granular permissions. Custom roles let you define exactly what a user can do without being limited to the four built-in roles.

Available Permissions

Custom roles can include any combination of these permissions:

Category	Permissions
Repositories	`repositories:read` - View repos
Scans	`scans:read` - View scans
Drifts	`drifts:read` - View drifts
Guardrails	`guardrails:read` - View guardrails
Members	`members:read` - View members
Settings	`settings:read` - View settings
Billing	`billing:read` - View billing info
Audit Logs	`audit-logs:read` - View audit logs

Creating a Custom Role

Go to Organizations and select your org
Click the Roles tab (visible to admins on Team+ plans)
Click Create Role
Enter a name, description, and color
Select the permissions for this role
Click Create Role to save

Assigning a Custom Role

Once created, custom roles appear in the role dropdown when editing a member's role:

Go to the Members tab
Click the role badge next to a member's name
Select the custom role from the dropdown

API Reference

Custom roles can also be managed via the API:

bash

# List custom roles
GET /api/orgs/:orgId/roles

# Create a custom role
POST /api/orgs/:orgId/roles
{
  "name": "Security Reviewer",
  "description": "Can view guardrails and audit logs",
  "permissions": ["guardrails:read", "audit-logs:read", "drifts:read"],
  "color": "#6366f1"
}

# Update a custom role
PATCH /api/orgs/:orgId/roles/:roleId

# Delete a custom role
DELETE /api/orgs/:orgId/roles/:roleId

See the Organizations API reference for full details.

Roles & Permissions (RBAC) ​

Built-in Roles ​

Permission Matrix ​

Custom Roles Team+ ​

Available Permissions ​

Creating a Custom Role ​

Assigning a Custom Role ​

API Reference ​