# Roles and Permissions ## Overview Bluebricks uses role-based access control (RBAC) to govern who can do what across your organization. Every user is assigned one account-level role that determines their permissions for all resources: clouds, collections, packages, environments, secrets, webhooks, and more. {% hint style="info" icon="bookmark" %} Account-level roles control what a user can do. Collection membership controls where they can do it. See [Owners and Members](/docs/orchestration/collections/owners-and-members.md) for collection-level access. {% endhint %} ## Roles Bluebricks defines four roles, ordered from most to least privileged: **Admin**, **Builder**, **Deployer**, and **Viewer**. Read more about each role: {% tabs %} {% tab title="Admin" %} **Admins have full access** to every resource and action in the organization. Admins manage users, configure organization settings, create API keys, and govern all collections, packages, and environments. Assign this role to platform team leads and organization owners. {% endtab %} {% tab title="Builder" %} **Builders can create and manage** infrastructure packages (artifacts and blueprints), collections, clouds, secrets, and webhooks. Builders can also initiate and manage deployments. They cannot invite or manage users, change organization settings, or create API keys. Assign this role to infrastructure engineers who author and maintain IaC. {% endtab %} {% tab title="Deployer" %} **Deployers can initiate runs and approve or apply plans.** Deployers have read access to the resources they need for deployment (collections, packages, clouds) but cannot create or modify infrastructure definitions. Deployers see only the **Deploy** and **Plan** pages. Assign this role to operations engineers or CI/CD service accounts that run deployments without authoring IaC. {% endtab %} {% tab title="Viewer" %} **Viewers have read-only access** to all resources. Viewers can browse collections, packages, environments, clouds, and organization data but cannot create, modify, or delete anything. Assign this role to stakeholders, auditors, or team members who need visibility without write access. {% endtab %} {% endtabs %} {% hint style="info" %} When you invite a user, the role selector defaults to **Viewer**. If a user logs in without having been invited or assigned a role (for example, via SSO), they are automatically assigned the **Deployer** role. {% endhint %} ## How to invite users You can invite users from three places: * **Sidebar menu** > **Invite users** (quickest path) * **Account Settings** > **Teammates** > **Invite** (top-right) * **Collection page** > **Assigned users** > **Invite teammates** (pre-selects the collection)

Account Settings Teammates tab and sidebar menu showing the Invite users entry points

All three open the same invite modal. The steps are: {% stepper %} {% step %} #### Enter email addresses Add one or more email addresses. You can paste a comma-separated list to invite multiple people at once.

Invite teammates modal showing email input, role selector, and collection picker

{% endstep %} {% step %} #### Select an organization role Choose a role from the dropdown. This sets what the invited user can do across the organization. See [Roles](#roles) above for what each role allows. {% endstep %} {% step %} #### Assign collections (optional) Select one or more collections to grant the user access on acceptance. Each user is added as a **Member** by default. There is no option to assign the Owner role at invite time; you can change their collection role to **Owner** after they accept. When you invite from a collection page, that collection is pre-selected and the collections picker is locked. To assign additional collections, use the invite flow from **Account Settings** instead. {% endstep %} {% step %} #### Send the invite Click **Invite**. The invited users appear in the **Invited** tab in Account Settings until they accept. {% endstep %} {% endstepper %} {% hint style="info" icon="user-key" %} Only admins can invite users, change roles, and manage user status. {% endhint %} ## Managing users Users are managed in **Account Settings** > [**Teammates**](https://app.bluebricks.co/settings?tab=members). The page has two tabs: * **Teammates**: active members of your organization, showing their assigned collections, status, and role * **Invited**: pending and canceled invitations ### User statuses | Status | Description | Available actions | | --------------- | ------------------------------------------------------ | ----------------------- | | Active | User has accepted the invite and is using the platform | Change role, Deactivate | | Invited | Invitation sent but not yet accepted | Cancel invite | | Invite canceled | Invitation was canceled before acceptance | Remove | | Inactive | User was deactivated by an admin | Remove | ### Change a user's role Find the user in the **Teammates** tab and use the **Role** dropdown to select a new role. The change takes effect immediately. ### Deactivate a user Find the user in the **Teammates** tab, click the **three-dot menu**, and select **Deactivate**. Deactivated users lose access but their data is preserved. They appear with an **Inactive** status. ### Remove a user Deactivated users and canceled invitations can be permanently removed. Find the user in the appropriate tab, click the **three-dot menu**, and select **Remove**. ## What each role can do The tables below show every permission and which roles include it. #### Cloud accounts

Permission	Admin	Builder	Deployer	Viewer
Create cloud accounts	Yes	Yes
View cloud accounts	Yes	Yes	Yes	Yes
Update cloud accounts	Yes	Yes
Delete cloud accounts	Yes	Yes

#### Collections

Permission	Admin	Builder	Deployer	Viewer
Create collections	Yes	Yes
View collections	Yes	Yes	Yes	Yes
Update collections	Yes	Yes
Delete collections	Yes	Yes

#### Packages (artifacts and blueprints)

Permission	Admin	Builder	Deployer	Viewer
Create packages	Yes	Yes
View packages	Yes	Yes	Yes	Yes
Update packages	Yes	Yes
Delete packages	Yes	Yes

#### Environments and runs

Permission	Admin	Builder	Deployer	Viewer
Create environments	Yes	Yes	Yes
View environments	Yes	Yes	Yes	Yes
View run plans	Yes	Yes	Yes	Yes
Approve runs	Yes	Yes	Yes

{% hint style="info" %} Approving runs from [Slack](/docs/integrations/slack.md) is limited to admins and builders. Deployers can approve runs through the web UI if they are an owner of the collection. {% endhint %} #### Secrets

Permission	Admin	Builder	Deployer	Viewer
Create secrets	Yes	Yes
View secrets	Yes	Yes	Yes	Yes
Update secrets	Yes	Yes
Delete secrets	Yes	Yes

#### Webhooks

Permission	Admin	Builder	Deployer	Viewer
Create webhooks	Yes	Yes
View webhooks	Yes	Yes	Yes	Yes
Update webhooks	Yes	Yes
Delete webhooks	Yes	Yes

#### Users

Permission	Admin	Builder	Deployer	Viewer
Invite users	Yes
View users	Yes	Yes	Yes	Yes
Update user roles	Yes
Remove users	Yes

#### Organization and API keys

Permission	Admin	Builder	Deployer	Viewer
View organization	Yes	Yes	Yes	Yes
Update organization settings	Yes
Create API keys	Yes
View API keys	Yes
Update API keys	Yes

{% hint style="info" %} Long-lived API tokens have a **fixed set of permissions** that do not correspond to any user role. They cannot perform Admin-only actions such as inviting users or changing organization settings. See [API Authentication](https://bluebricks.co/docs/api/authenticate/authentication) for details. {% endhint %} #### Other resources

Permission	Admin	Builder	Deployer	Viewer
View tasks	Yes	Yes	Yes	Yes
View rescue operations	Yes	Yes	Yes	Yes
View vendors	Yes	Yes	Yes	Yes

### Recommended role mapping for common teams

Team function	Recommended role
Platform / DevOps lead	Admin
Infrastructure engineer	Builder
Application developer (deploys only)	Deployer
CI/CD service account	Deployer
Engineering manager / stakeholder	Viewer

## Account roles vs. collection membership Bluebricks separates **what** a user can do (account-level role) from **where** they can do it ([collection membership](/docs/orchestration/collections/owners-and-members.md)). * **Account-level role**: Assigned in **Account Settings > Users**. Defines the user's permissions across the entire organization. A user has exactly one account role. * **Collection membership**: Assigned in **Collection Settings > Members**. Determines which collections a user can access and whether they are an owner or member of that collection. Both layers must align for a user to act on a resource. Non-admin users must be assigned to a collection before they can act on its resources; without collection membership, requests will be rejected regardless of the user's account role. For example, a user with the Builder role can create packages, but they can only deploy to collections where they are an assigned member. {% hint style="info" icon="user-key" %} Admins can manage any collection, even if they are not listed as a member or owner of that collection. {% endhint %} ### How the layers work together

Scenario	Account role	Collection membership	Result
Platform lead needs full control	Admin	Owner	Full access to the organization
Engineer authors IaC for a team	Builder	Member	Can create and publish packages; can deploy to member collections
CI/CD pipeline deploys to production	Deployer	Member	Can run deployments in member collections; cannot modify packages or settings
Manager reviews infrastructure state	Viewer	Member	Can view all resources in member collections; cannot make changes

## What's next?

	Cover image
Set collection-level access in Owners and Members	/files/uFdGSgeUhiskZxj2uPFK	/pages/3Uu2sNFNMlBLNB5XuEiw
Create governance rules for collections with policies	/files/4h9Qftdzrc8tnJzvmX7I	/pages/JCmPkQRxdAeqDtUKS00A
Set up Single-Sign-On	/files/3gwL63m9ZfSJSeSyiwop	/pages/xrqBgD3qEhNEHaPrW141
Set the CLI authentication	/files/QNS26wrpvvMA7pTdW5Sc	/pages/P6ISR6P7N7SAHSyila5a
Learn about API token management	/files/MdKoWlA6AAaCoW5J77Im	https://bluebricks.co/docs/api/authenticate/authentication

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://bluebricks.co/docs/organization-and-security/roles-and-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.