DocsRoles and Permissions
How role-based access control (RBAC) works in Bivariant — built-in roles, custom roles, permission format, and scope hierarchy.
The platform uses role-based access control (RBAC) to govern what authenticated users can do. Every action in the platform is gated by a permission, and permissions are grouped into roles.
Permission format
Permissions follow a consistent resource:action pattern:
collections:read
flows:execute
agents:update
integrations:deleteCommon actions include:
| Action | Meaning |
|---|---|
read | View the resource |
create | Create new instances |
update | Modify existing instances |
delete | Remove instances |
execute | Run or trigger the resource |
manage | Full administrative control |
Built-in roles
The platform provides three built-in roles:
Admin
Full access to all resources in the organization and its spaces.
- Manage members and roles
- Create and configure spaces
- Install and configure apps
- Access all data and settings
Member
Standard access for day-to-day work within assigned spaces.
- Read and write collections, flows, agents
- Execute flows and interact with agents
- Use installed integrations
- Cannot manage organization settings or members
Guest
Limited, read-only access.
- View collections and records
- Read conversations
- Cannot modify resources or execute actions
Role assignment
Roles are assigned at two levels:
| Level | Scope | Example |
|---|---|---|
| Organization | Applies to all spaces in the organization | An admin who manages the entire org |
| Space | Applies only within a specific space | A member who works in the "Sales" space |
A user can hold different roles in different spaces. Organization-level roles cascade down to all spaces unless overridden.
Custom roles
Beyond the built-in roles, administrators can define custom roles that combine specific permissions:
- Define the role — give it a name and select the permissions it should include
- Assign the role — attach it to users at the organization or space level
Custom roles are useful for scenarios like:
- A "viewer" who can read collections but not execute flows
- A "flow operator" who can execute flows but not modify them
- An "integration manager" who can manage connections but not access data
Service permissions
Apps, agents, and integrations authenticate as service accounts. Each service account receives permissions based on the app's declared requirements:
- An app that needs to read collections will have
collections:read - An agent that executes flows will have
flows:execute - An integration that writes records will have
collections:createandcollections:update
Service permissions are granted at install time and scoped to the space where the app is installed.
Permission checks
The platform evaluates permissions on every API request:
- Identify the user — resolve the authenticated identity
- Resolve roles — load all roles for the target organization and space
- Aggregate permissions — combine permissions from all assigned roles
- Check the required permission — verify the request's required permission is in the set
If the required permission is missing, the request is denied with a 403 Forbidden response.
Related concepts
- Authentication — how users prove their identity
- API Keys — programmatic access with scoped permissions
- Organizations and Spaces — the hierarchy where roles apply
Authentication
How users and services authenticate with the Bivariant platform — OIDC-based login, access tokens, session management, and service account authentication.
API Keys
How to create and manage API keys for programmatic access to the Bivariant platform — scoping, permissions, and best practices.