ops0 uses role-based access control (RBAC) at two levels: organization roles that govern platform-wide access, and project roles that control access to individual IaC projects, discovery sessions, and configurations. Permissions from both levels are combined to form a user's effective access.
Platform-wide access — user management, integrations, billing, and settings.
Per-project access — code editing, deployment approvals, and read-only access.
| Role | Description | Permissions |
|---|---|---|
| Owner | Full organization control | All settings, billing, user management, SSO, delete org |
| Admin | Platform administration | Add/remove users, manage integrations, all features |
| Editor | Day-to-day platform work | Create/edit/deploy IaC, run discovery, manage configurations |
| Viewer | Read-only | View all resources, sessions, deployments — no writes |
Project roles apply to individual IaC projects, discovery sessions, and configuration sets. A user's project role is independent of their organization role.
| Role | Description |
|---|---|
| Owner | Full project control including delete |
| Editor | Edit code, trigger deployments |
| Approver | Approve or reject deployments that require approval |
| Viewer | Read-only access to project files, deployments, and logs |
A user with a Viewer organization role can still be an Approver on a specific IaC project. Project roles stack on top of organization roles — the user gets the union of both.
Go to Settings > IAM > Users to view all organization members. The list shows name, email, role, status, and last active time.
Click Invite User in Settings > IAM > Users.
Enter one or more email addresses. For bulk invites, separate addresses with commas or click Upload CSV.
Choose the initial role the user(s) will receive (e.g. Editor, Viewer).
Click Send Invitation. The user appears with Pending status until they accept the email invite.
| Field | Required | Description |
|---|---|---|
| Email(s) | Yes | One or more email addresses |
| Role | Yes | Initial organization role |
| Message | No | Optional personal note in the invite email |
Pending invitations can be resent or cancelled from the Invitations tab.
Click on the user row in Settings > IAM > Users.
Click Edit Role.
Choose the new organization role from the dropdown.
Click Save. The change takes effect on the user's next request.
Removing a user immediately revokes all their access and active sessions. This cannot be undone.
Click on the user row.
Click Remove from Organization.
Confirm the action in the prompt. The user is immediately removed.
Add collaborators to individual projects to grant access independently of their organization role.
Navigate to IaC > (select project) > Collaborators.
Click Add Collaborator and search for the user by name or email.
Choose a project role: Owner, Editor, Approver, or Viewer.
Click Add. The user can now access the project with the assigned role.
Project collaborator access is managed per project and does not affect the user's organization role or access to other projects.
A user's effective permissions are the union of their organization role permissions and any project-level roles they have been granted.
| Source | Example |
|---|---|
| Organization role | Viewer (read-only platform-wide) |
| Project role | Approver on production-api |
| Effective access | Read everything + approve deploys on production-api |
All permission changes are recorded in Audit Logs automatically.
Go to Settings > Audit Logs and filter by Category: IAM to see:
| Event | Details |
|---|---|
| User Invited | Who sent the invite, target email |
| User Joined | When the invitation was accepted |
| Role Changed | Previous role, new role, changed by |
| User Removed | Who performed the removal |
| Project Collaborator Added | Project, user, role |
| Project Collaborator Removed | Project, user |
