> ## Documentation Index
> Fetch the complete documentation index at: https://docs.allium.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Permissions

> Roles and access levels that control who can view, edit, and manage a Beam pipeline.

Every Beam pipeline config is governed by per-resource access control. Each user's effective access on a config is derived from one or more **roles** granted directly to them or to a team they belong to.

When you create a pipeline, you automatically become its **owner**, and every member of your team is granted **read** access to it.

## Roles

Roles are granted on a per-config basis. A user can hold at most one user-level role per config; team-level roles stack with whatever the user already has.

| Role            | Granted to | Permissions                                                                                                                  |
| :-------------- | :--------- | :--------------------------------------------------------------------------------------------------------------------------- |
| **Owner**       | User       | Read, edit, and manage. Can deploy, teardown, share, and delete the pipeline. Can grant or revoke any role on the config.    |
| **Editor**      | User       | Read and edit. Can change pipeline configuration and redeploy, but cannot share, transfer ownership, or delete the pipeline. |
| **Reader**      | User       | Read-only. Can view the pipeline config, deployment state, and metrics. Cannot make changes.                                 |
| **Team viewer** | Team       | Read-only, granted to every member of the team. Used to give teammates visibility without enumerating users one by one.      |

## Permissions

Each role resolves into a set of permissions that gate API behaviour:

| Permission                                       | Owner | Editor | Reader | Team viewer |
| :----------------------------------------------- | :---: | :----: | :----: | :---------: |
| `read` — view config, deployment status, metrics |   ✓   |    ✓   |    ✓   |      ✓      |
| `edit` — modify config, deploy, teardown         |   ✓   |    ✓   |        |             |
| `manage` — share, transfer ownership, delete     |   ✓   |        |        |             |

A user's effective permission on a config is the union of every role they hold on it, directly or through a team.

## Default access on a new pipeline

When a pipeline is created:

1. The creating user is granted **owner** on the config.
2. The creator's team is granted **team viewer**, so every teammate gets read access automatically.

No other users or teams have access until an owner grants it.

## Sharing a pipeline

Owners can grant additional access from the pipeline settings:

* **Add a user as editor or reader** — gives that one user the corresponding permissions, independent of their team membership.
* **Add a team as viewer** — gives every member of that team read access. Useful for opening up visibility to a partner team without listing individuals.
