Roles
Roles are granted on a per-config basis. A user can hold at most one user-level role per config; team-level roles stack with whatever the user already has.| Role | Granted to | Permissions |
|---|---|---|
| Owner | User | Read, edit, and manage. Can deploy, teardown, share, and delete the pipeline. Can grant or revoke any role on the config. |
| Editor | User | Read and edit. Can change pipeline configuration and redeploy, but cannot share, transfer ownership, or delete the pipeline. |
| Reader | User | Read-only. Can view the pipeline config, deployment state, and metrics. Cannot make changes. |
| Team viewer | Team | Read-only, granted to every member of the team. Used to give teammates visibility without enumerating users one by one. |
Permissions
Each role resolves into a set of permissions that gate API behaviour:| Permission | Owner | Editor | Reader | Team viewer |
|---|---|---|---|---|
read — view config, deployment status, metrics | ✓ | ✓ | ✓ | ✓ |
edit — modify config, deploy, teardown | ✓ | ✓ | ||
manage — share, transfer ownership, delete | ✓ |
Default access on a new pipeline
When a pipeline is created:- The creating user is granted owner on the config.
- The creator’s team is granted team viewer, so every teammate gets read access automatically.
Sharing a pipeline
Owners can grant additional access from the pipeline settings:- Add a user as editor or reader — gives that one user the corresponding permissions, independent of their team membership.
- Add a team as viewer — gives every member of that team read access. Useful for opening up visibility to a partner team without listing individuals.