Manage Team Access with Roles

Invite teammates, assign organization roles, grant project-level access, and set up approvers for deployment gates in ops0.

Scenario

Your infrastructure team is growing. You want to give developers access to create and deploy IaC projects, give the security team read-only visibility across the platform, and require the infrastructure lead to approve all production deployments before they run.

Prerequisites

✓ops0 Organization Owner or Admin role

Step 1: Invite Team Members

1Go to Settings > IAM & Roles

2Click Invite User

3Enter the user's email address and select their org role

4Click Send Invite — the user receives an email, accepts it, and immediately gains access

Step 2: Assign Organization Roles

Each org role defines what a user can do across the entire organization.

Role	Who It's For	What They Can Do
Owner	Org creator, 1–2 people max	Full access including billing and SSO configuration
Admin	IT leads, platform leads	Manage integrations, users, and settings — but not billing
Editor	Developers, DevOps engineers	Create and deploy IaC projects, run discovery, build workflows
Viewer	Security auditors, managers	Read-only — see all resources, deployments, and sessions

To change a role after invite: Settings > IAM & Roles > find the user > click their current role to change it.

Step 3: Grant Project-Level Access

For finer control, add collaborators directly to specific IaC projects.

1Open the IaC project in ops0

2Go to Collaborators > click Add

3Select the user and choose their project role

Project Roles

Role	Access
Owner	Full project control — edit code, settings, collaborators
Editor	Edit code, trigger deployments
Approver	Approve or reject deployment gates
Viewer	Read-only — see code, runs, and logs

Example use case: A developer has org-level Viewer access (cannot deploy anything org-wide) but is an Editor on one specific project (can deploy that project). This lets you lock down production projects while keeping sandbox projects open.

Step 4: Set Up Approval Gates

To require a specific person to approve production deployments before they run:

1Open the IaC project > Collaborators > add the infrastructure lead as Approver

2Go to project Settings > enable Require Approval before Apply

3Every deployment now pauses at Awaiting Approval until the Approver reviews and confirms

Step 5: Remove or Change Access

1Go to Settings > IAM & Roles

2Find the user > change their role or click Remove

3Removal takes effect immediately — the user's active session is invalidated

Access Matrix Example

A realistic team setup using org roles and project-level overrides:

Person	Org Role	Project: prod-networking	Project: dev-sandbox
Lead Engineer	Admin	Owner	Owner
Developer A	Editor	Editor	Editor
Developer B	Editor	Viewer	Editor
Security Analyst	Viewer	Viewer	Viewer
Infra Lead	Editor	Approver	—
Auditor	Viewer	Viewer	Viewer

Developer B has reduced access on the production project but full Editor access on the sandbox, letting them work freely without risking production.

Troubleshooting

User can't see a project

Add them as a Collaborator on that specific project. An org-level Viewer role does not automatically grant access to every project — projects must be added individually.

Approver button not showing on deployment

The project's approval requirement is not enabled. Go to the project Settings and turn on Require Approval before Apply, then ensure the user has the Approver collaborator role.

Can't remove the last Owner

ops0 requires at least one Owner at all times. Transfer ownership to another user first, then remove yourself or the previous Owner.

Next Steps

Set Up SSO →

Automate user provisioning by connecting your identity provider

Review Audit Logs →

Track access changes, invites, and role updates across your organization