This is a preview/beta feature. Further changes are expected.

This feature is only available on Chainloop’s platform paid plans.

Chainloop Role Base Access Control (RBAC) allows scoping down users by resources (i.e. projects). For example, RBAC can be used to ensure that employees can only see and access the projects they are assigned to. Or to limit the actions that a particular user or group of users can perform on a Workflow (like sending an attestation).

RBAC is implemented through Roles. Users can have assigned roles on organizations and projects for access control.

Organization roles

There are four organization level roles:

  • Owner: It’s the highest privilege role, providing full access to all resources and features. It’s the role acquired by the creator of the organization.
  • Admin: It’s a management role in the organization, they have full access to the organization, its members and projects.
  • Viewer: It’s a read-only role that provides full visibility on the organization resources.
  • Member: Members only have permissions in projects they create, or they have been added to with a Project Role. Members cannot manage or see organization resources.

Project roles

Project roles are needed when the user has the Organization “Member” role to provide them access to specific projects. There are two different project roles:

  • Project Admin: Provides full access to the project resources. For example, they can manage workflows, configure compliance frameworks, and user or group membership. They can also create project API tokens and perform attestations.
  • Project Viewer: Provides read-only access to the project, workflows, and attestations.

Assigning project roles

You can list and manage members through project settings:

Then you can use the membership form to add members and assign them project roles: