Roles & permissions
Full matrix of what each role can do — owner, admin, member, viewer
Roles & permissions
SigSentry has four roles, mapping to a fixed set of permissions. You assign a role when inviting a user; the role can be changed later by any admin or owner.
The four roles
| Role | One-line description |
|---|---|
| Owner | Full control; only one per organization; set when the organization is created |
| Admin | Manage team and configuration; cannot delete projects or change billing |
| Member | Run analyses, configure projects; cannot manage team |
| Viewer | Read-only — see analyses and configuration but change nothing |
There's also a legacy analyst role that maps to member — if you see it in older accounts, it behaves identically to member.
Permission matrix
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
analysis:read — view analyses | ✅ | ✅ | ✅ | ✅ |
analysis:create — run analyses, ask follow-ups | ✅ | ✅ | ✅ | ❌ |
config:read — view project config | ✅ | ✅ | ✅ | ✅ |
config:write — change project config | ✅ | ✅ | ✅ | ❌ |
apikey:write — create or revoke API keys | ✅ | ✅ | ✅ | ❌ |
team:read — view members and audit log | ✅ | ✅ | ✅ | ✅ |
team:manage — invite, remove, change roles | ✅ | ✅ | ❌ | ❌ |
project:delete — delete a project | ✅ | ❌ | ❌ | ❌ |
Owner-specific behaviors
- The owner role is set exclusively when the organization is created — you cannot invite someone as owner
- An owner cannot have their role changed (would orphan the organization). To transfer ownership, the current owner must reach out to support
- Only the owner can delete projects or initiate organization deletion
Permission gates in the dashboard
The dashboard hides actions you don't have permission for. For example:
- The "Add channel" button on the Channels page is only visible to
users with
config:write(admin / member / owner) - The Team page's "Invite user" button only shows for
team:manage(admin / owner) - The "Delete project" button on Danger Zone is owner-only
If you don't see a button you'd expect, check your role under Settings → General.
API key permissions vs role permissions
API keys carry their own permission list, separate from a user's role. A key has only the permissions explicitly granted at creation — this lets you create a narrowly scoped key for a CI job that can only run analyses, even if the user creating it is an admin.
See Authentication for details on key creation and scoping.
Audit log
Every config change made by any user is logged in the Audit log — visible to admins and owners. This is useful for compliance, retroactive debugging, and seeing who did what.