Owners and Members
Control who can access and govern your collections by assigning owners and members
Overview
Every collection has two membership roles: owner and member. These roles control who can access a collection, while account-level roles control what they can do once inside it. Together, the two layers let you grant broad platform capabilities to a user while limiting where those capabilities apply.
How account roles and collection membership work together
A user's effective permissions in a collection are the intersection of their account-level role and their collection membership. The account role defines the ceiling (create packages, run deployments, view resources), and membership opens the door to a specific collection.
For the full permissions matrix and recommended role mappings, see Roles and Permissions.
Admins bypass membership checks. They can manage any collection, even if they are not listed as an owner or member.
Owners
Every collection must have at least one owner. The user who creates a collection is automatically assigned as its first owner.
Owners have full control over the collection, including:
Managing member access and roles
Editing collection properties, secrets, and cloud connections
Approving runs when the Owner Approval policy is active
Transferring ownership to another user
Deleting the collection
Owners provide the governance layer that keeps collections secure and aligned with organizational policies. When the Owner Approval policy is enabled on a collection, only owners of that collection can approve runs before they proceed. For details on configuring this policy, see Policies.
Admins, Builders, and Deployers can all be assigned as collection owners. A Deployer who is an owner can approve runs, but they still can't edit collection settings or create collections since those require a Builder or Admin account role. Viewers and Guests cannot be owners.
A collection can have multiple owners. This is recommended for redundancy so that approvals and administrative actions are not blocked by a single person's availability.
Members
Members are users who have been granted access to a collection. A member's effective permissions depend on their account-level role:
A member with the Builder role can create and publish packages and run deployments in the collection
A member with the Deployer role can initiate runs but cannot modify packages or collection settings
A member with the Viewer role can browse environments and resources in the collection but cannot make changes
Members cannot manage collection settings (properties, secrets, cloud connections, policies, or membership). Those actions require owner or Admin access.
Example: a development team might be added as members with the Builder role in a staging collection so they can deploy freely, while only a platform lead is assigned as owner of the production collection to enforce tighter governance.
How to manage owners and members
Owners and members are managed from the collection detail page in the Bluebricks app.
Only Admins and collection owners can add, remove, or change membership roles.
Add a member
Open the Collections page and select your collection
Go to the Overview tab
In the Assigned users section, click Edit
Select the user you want to add and click Save
New users are added as members by default.
Last updated
Was this helpful?