Cloud memberships
Organization Member Roles and Permissions
In the Contember Cloud Selfcare, we provide different roles that you can assign to members within your organization. Each role comes with specific permissions that determine what actions members can perform. It's essential to understand these roles and their associated permissions to effectively manage your organization.
1. Roles for the Organization
Owner
The Owner role is the highest level of authority within the organization. Owners have full control over the organization, including its settings, billing, and member management. There must be at least one Owner in the organization at all times.
Admin
The Admin role is the second-highest authority in the organization. Admins have broad permissions, enabling them to manage most aspects of the organization, except billing and some specific member-related actions.
Billing
The Billing role is responsible for managing the organization's billing settings and payment methods. Users with this role can handle billing-related tasks but have limited access to other aspects of the organization.
Developer
The Developer role is for members involved in project development. They have permissions to create and manage, as well as start and stop project activities. They cannot delete a project.
Guest
The Guest role is for providing limited access to external collaborators. Guests have viewing privileges for projects and metrics, but they cannot perform any modifications within the organization.
2. Project-Specific Roles
Project Developer
The Project Developer role is specifically assigned at the project level. Members with this role have permissions to work on a particular project, allowing them to create, manage, and start/stop project activities.
Project Guest
Similar to the Project Developer role, the Project Guest role is specific to individual projects. Members with this role are granted viewing access to a specific project, without the ability to make any changes.
It's important to note that the Project Developer and Project Guest roles are distinct from the organization-wide roles and are managed separately for each project.
Permissions matrix
| Owner | Admin | Billing | Developer | Guest | Project Developer | Project Guest | |
|---|---|---|---|---|---|---|---|
| View projects | YES | YES | YES | YES | YES | YES | YES |
| View metrics | YES | YES | YES | YES | YES | YES | YES |
| View members | YES | YES | YES | YES | NO | NO | NO |
| Manage owner / billing member | YES | NO | NO | NO | NO | NO | NO |
| Manage other members | YES | YES | NO | NO | NO | NO | NO |
| Create projects | YES | YES | NO | YES | NO | NO | NO |
| Start / stop project | YES | YES | NO | YES | NO | YES | NO |
| Edit project settings | YES | YES | NO | YES | NO | YES | NO |
| Delete project | YES | YES | NO | NO | NO | NO | NO |
| View billing | YES | NO | YES | NO | NO | NO | NO |
| Manage billing | YES | NO | YES | NO | NO | NO | NO |
Relation to Contember Engine Roles
The roles and permissions in Contember Cloud are distinct from those in Contember Engine's Project Group and Tenant API. In Contember Cloud, roles are specifically tied to managing organizations and projects within the Cloud Selfcare. In contrast, roles in Contember Engine govern access to the project's APIs (Tenant, Content, System).
Assigning a role in Contember Cloud does not automatically assign the same role in Contember Engine. The roles in each system are managed independently and do not influence each other.
The only exception occurs when a Project Group is created in Contember Cloud. In this case, the project_admin global role, which is the highest possible role within Contember Engine running in the Cloud, is automatically granted to the creator. This role allows the user to perform almost all tasks (except for certain system-level actions reserved for the super_admin role, which is only available in self-hosted environments and not in Contember Cloud). The project_admin can then assign this
role to others using the Tenant API's mutations, such as addGlobalIdentityRole or createGlobalApiKey.