- User types — determine the broad access levels of a user
- Roles — grant fine-grained access to the workspace
User types
User types determine the broad access levels of a user. Below is a summary of the user types and their functions. — complete control over the workspace; exactly one per workspace — complete administrative and application access; is subordinate to the owner — limited application access with no administrative privileges Owners have unrestricted access to the workspace with the ability to execute any action. Administrators hold nearly the same access as owners, but are unable to adjust the access controls of owners. Members are the only user type that can be granted fine-grained access to the workspace through roles. Since administrators and owners already have complete access to the workspace, they cannot be given any roles.Admin privileges
There are a variety of privileges which are only available to owners and administrators. Outside of the group manager role, no roles can grant any of these privileges. API Keys- Create a new API key
- Delete an API key
- Delete a config type
- Create a group
- Update a group
- Delete a group
- Move a device to a different group
- Send an invite
- Resend an invite
- Revoke an invite
- Suspend a member
- Update another member’s role
- Delete a release
- Update the workspace
Roles
While a user’s type determines broad access and administrative capabilities, roles grant fine-grained access to the workspace. Because owners and admins already have full access to the workspace, roles can only be granted to members. A member’s roles are defined in two independent sources:- Workspace roles apply across the entire workspace
- Group roles apply to a group and all of its subgroups
Workspace-only roles
Below are the roles which are only available at the workspace level. These roles cannot be assigned to users for a particular group.Viewer
Viewers hold read-only access to the entire application. It is not possible to restrict read access to specific groups or devices. Viewer is the least privileged role there is. All roles implicitly include viewer access.Publisher
The publisher role allows members to create and edit config types, schemas, and releases (all the resources needed to publish a release). The publisher role grants access to the following operations: Config types- Create a config type
- Edit a config type
- Create a config schema
Shared roles
Below are the roles which are available at both the workspace and group levels. These roles can be assigned to users for a particular group, as well as the entire workspace.Operator
The operator role allows members to deploy configurations to devices. The operator role grants access to the following operations: Config editor- Deploy configurations to devices
- Stage a deployment
- Patch a deployment
- Review a deployment
- Deploy a deployment
- Archive a deployment
Provisioner
The provisioner role allows members to create and activate devices. The provisioner role grants access to the following operations: Manage devices- Create a device
- Edit a device
- Delete a device
- Provision a device
- Reprovision a device
Group-only roles
Below are the roles which are only available at the group level. These roles can only be assigned to users for a particular group, not for the entire workspace.Group manager
The group manager role allows members to manage the members in a group, the members’ grants, and the group’s subgroups. It includes everything the operator and provisioner roles can do, along with the following operations: Groups- Create a subgroup
- Edit a group
- Move a device
- Delete a subgroup
- Move a device to a different group
- Add a group member
- Edit group member permissions
- Remove group members