Roles & Permissions

    ByteOr Cloud resolves authorization through organization and project roles, then applies environment-level checks on the resulting operation.

    ByteOr Cloud uses role-based access control (RBAC) to govern who can view, modify, and operate resources. Roles are assigned at the organization or project scope and cascade downward through the resource hierarchy.

    Roles

    RoleScopeDescription
    org_adminOrganizationFull control over the organization, all projects, and all environments. Can manage memberships and billing.
    project_adminProjectFull control over a single project and its environments. Cannot manage organization-level settings.
    operatorProjectCan create deployments, approve/deny requests, and manage agents. Cannot modify project settings or memberships.
    viewerProjectRead-only access to project resources. Cannot trigger any mutations.

    Permission Matrix

    Each permission maps to one or more API actions. The matrix below shows which roles grant each permission.

    Permissionorg_adminproject_adminoperatorviewer
    ViewOrg
    ManageOrgMemberships
    ViewProject
    ManageProject
    OperateProject
    ViewEnvironment
    ManageEnvironment
    OperateEnvironment

    Role Resolution Rules

    When a user has roles at multiple scopes, the following rules determine effective permissions:

    1. org_admin override — An org_admin implicitly holds every permission on every project and environment within the organization. No additional role assignments are needed.
    2. Project-level fallback — If a user has no project-specific role, the system checks for an organization-level role. A viewer role at the org level grants ViewProject and ViewEnvironment across all projects.
    3. Nested scope enforcement — Permissions required for a resource at the environment level also require the corresponding view permission at the project and organization level. For example, OperateEnvironment requires ViewProject on the parent project.

    Audit Events

    Every authorization decision and identity event is recorded in the audit log. Each entry includes the fields: outcome, actor, resource_scope, and timestamp.

    Event KindDescription
    LoginStartedOAuth login flow initiated.
    LoginCompletedUser successfully authenticated and a session was issued.
    LoginFailedAuthentication failed (invalid code, expired state, provider error).
    MembershipChangedA role assignment was created, updated, or removed.
    ApiKeyIssuedA new agent API key was generated during enrollment.
    ApiKeyRevokedAn agent API key was revoked by an administrator.
    ApiKeyAuthenticatedAn agent authenticated successfully using its API key.
    ActionAuthorizedA permission check passed and the requested action was allowed.
    PermissionDeniedA permission check failed and the request was rejected with 403.

    Canonical Surfaces

    Workspace access
    Tenancy boundaries for organizations, projects, environments, and enrolled agents.
    Cloud settings
    Members, auth, signing keys, API keys, and environment posture surfaces.
    Canonical Cloud docs
    Repo-owned hosted control-plane guidance for operators and admins.
    Provenance
    Need the canonical source?
    Use the public hub to orient yourself, then jump to repo-owned docs or rustdoc when you need contract-level detail.
    Source-of-truth modelRepo docs index