Permissions & Roles
Role-based access control (RBAC) for SculptOps organizations.
Roles
SculptOps uses three roles within an organization: admin, member, and viewer. Every user has exactly one role per organization they belong to.
Role descriptions
- AdminFull control over the organization: manage members, settings, all resources, and can delete the organization.
- MemberCan create, edit, and run playbooks, inventories, servers, schedules, and workflows. Cannot manage members or organization settings.
- ViewerRead-only access. Can view playbooks, executions, and inventories but cannot modify anything or trigger executions.
Permission matrix
Playbooks
| Action | Admin | Member | Viewer |
|---|---|---|---|
| View playbooks & history | ✓ | ✓ | ✓ |
| Create / edit playbooks | ✓ | ✓ | ✗ |
| Delete playbooks | ✓ | ✓ | ✗ |
| Run playbooks | ✓ | ✓ | ✗ |
| Cancel executions | ✓ | ✓ | ✗ |
Infrastructure (Servers, Inventories)
| Action | Admin | Member | Viewer |
|---|---|---|---|
| View servers & inventories | ✓ | ✓ | ✓ |
| Create / edit | ✓ | ✓ | ✗ |
| Delete | ✓ | ✓ | ✗ |
| Test server connectivity | ✓ | ✓ | ✗ |
SSH Keys & Vault Passwords
| Action | Admin | Member | Viewer |
|---|---|---|---|
| View key names (not secrets) | ✓ | ✓ | ✓ |
| Add keys / vault passwords | ✓ | ✓ | ✗ |
| Delete keys / vault passwords | ✓ | ✓ | ✗ |
| View plaintext secrets | ✗ | ✗ | ✗ |
Note
Plaintext secrets (SSH private keys, vault passwords) are never exposed through the UI or API regardless of role. They are only used internally at execution time.
Schedules & Webhooks
| Action | Admin | Member | Viewer |
|---|---|---|---|
| View | ✓ | ✓ | ✓ |
| Create / edit | ✓ | ✓ | ✗ |
| Enable / disable | ✓ | ✓ | ✗ |
| Delete | ✓ | ✓ | ✗ |
Organization settings
| Action | Admin | Member | Viewer |
|---|---|---|---|
| View settings | ✓ | ✓ | ✓ |
| Edit organization settings | ✓ | ✗ | ✗ |
| Invite / remove members | ✓ | ✗ | ✗ |
| Change member roles | ✓ | ✗ | ✗ |
| Manage API tokens | ✓ | ✓ | ✗ |
| Delete organization | ✓ | ✗ | ✗ |
Audit log
| Action | Admin | Member | Viewer |
|---|---|---|---|
| View audit log | ✓ | ✓ | ✓ |
| Export audit log | ✓ | ✓ | ✗ |
Member visibility
All authenticated members can see the team list (names and roles). However, email addresses are only visible to admins and to the member themselves. Other members see names and roles only.
API token permissions
API tokens inherit the role of the user who created them. A token created by a viewer has viewer-level access. A token cannot have broader permissions than its creator — attempting to create a higher-privileged token returns a 403 error.
Note
If a member is downgraded or removed, their API tokens are automatically revoked or capped to the new role level.