# Roles and Permissions ## Overview Bluebricks uses role-based access control (RBAC) to govern who can do what across your organization. Every user is assigned one account-level role that determines their permissions for all resources: clouds, collections, packages, environments, secrets, webhooks, and more. {% hint style="info" icon="bookmark" %} Account-level roles control what a user can do. Collection membership controls where they can do it. See [Owners and Members](https://bluebricks.co/docs/core-concepts/collections/owners-and-members) for collection-level access. {% endhint %} ## Roles Bluebricks defines five roles, ordered from most to least privileged: **Admin**, **Builder**, **Deployer**, **Viewer**, and **Guest**. Read more about each role: {% tabs %} {% tab title="Admin" %} **Admins have full access** to every resource and action in the organization. Admins manage users, configure organization settings, create API keys, and govern all collections, packages, and environments. Assign this role to platform team leads and organization owners. {% endtab %} {% tab title="Builder" %} **Builders can create and manage** infrastructure packages (artifacts and blueprints), collections, clouds, secrets, and webhooks. Builders can also initiate and manage deployments. They cannot invite or manage users, change organization settings, or create API keys. Assign this role to infrastructure engineers who author and maintain IaC. {% endtab %} {% tab title="Deployer" %} **Deployers can initiate runs and approve or apply plans.** Deployers have read access to the resources they need for deployment (collections, packages, clouds) but cannot create or modify infrastructure definitions. Deployers see only the **Deploy** and **Plan** pages. Assign this role to operations engineers or CI/CD service accounts that run deployments without authoring IaC. {% endtab %} {% tab title="Viewer" %} **Viewers have read-only access** to all resources. Viewers can browse collections, packages, environments, clouds, and organization data but cannot create, modify, or delete anything. Assign this role to stakeholders, auditors, or team members who need visibility without write access. {% endtab %} {% tab title="Guest" %} Minimal access. **Guests can only view deployment plans**. Guests see only the **Planner** page. Assign this role to external reviewers or stakeholders who need to review a specific deployment plan without accessing any other part of the platform. {% endtab %} {% endtabs %} {% hint style="info" %} New users who log in without a pre-assigned role are automatically assigned the **Deployer** role. {% endhint %} ## How to invite new users or change roles Users are managed via **Account Settings >** [**Users**](https://app.bluebricks.co/settings?tab=members) from there you can invite, change role or remove someone. {% hint style="info" icon="user-key" %} Only Admins can invite users and change roles. {% endhint %}

Invite new users

To invite a new user from account settings: 1. Click **Invite user** 2. Add the new user's **email** 3. Select the **desired role** from the dropdown 4. Click **Invite**

Change role of existing user

To change a users role from account settings: 1. Find the **user's name** in Account Settings > User 2. In the dropdown menu, select their new **role**

Remove user

To remove a user from account settings: 1. Find the user's name in Account Settings > User 2. Click the **three-dot menu** > click **remove**

Add a guest

The Guest role cannot be assigned manually through the invite flow.

## What each role can do The tables below show every permission and which roles include it. #### Cloud accounts

Permission	Admin	Builder	Deployer	Viewer
Create cloud accounts	Yes	Yes
View cloud accounts	Yes	Yes	Yes	Yes
Delete cloud accounts	Yes	Yes

#### Collections

Permission	Admin	Builder	Deployer	Viewer
Create collections	Yes	Yes
View collections	Yes	Yes	Yes	Yes
Update collections	Yes	Yes
Delete collections	Yes	Yes

#### Packages (artifacts and blueprints)

Permission	Admin	Builder	Deployer	Viewer
Create packages	Yes	Yes
View packages	Yes	Yes	Yes	Yes
Update packages	Yes	Yes
Delete packages	Yes	Yes

#### Environments and runs

Permission	Admin	Builder	Deployer	Viewer	Guest
Create environments	Yes	Yes	Yes
View environments	Yes	Yes	Yes	Yes
View run plans	Yes	Yes	Yes	Yes	Yes
Approve and apply runs	Yes	Yes	Yes

#### Secrets

Permission	Admin	Builder	Deployer	Viewer
Create secrets	Yes	Yes
View secrets	Yes	Yes	Yes	Yes
Update secrets	Yes	Yes
Delete secrets	Yes	Yes

#### Webhooks

Permission	Admin	Builder	Deployer	Viewer
Create webhooks	Yes	Yes
View webhooks	Yes	Yes	Yes	Yes
Update webhooks	Yes	Yes
Delete webhooks	Yes	Yes

#### Users

Permission	Admin	Builder	Deployer	Viewer
Invite users	Yes
View users	Yes	Yes	Yes	Yes
Update user roles	Yes
Remove users	Yes

#### Organization and API keys

Permission	Admin	Builder	Deployer	Viewer
View organization	Yes	Yes	Yes	Yes
Update organization settings	Yes
Create API keys	Yes
View API keys	Yes
Update API keys	Yes

{% hint style="info" %} Long-lived API tokens have a **fixed set of permissions** that do not correspond to any user role. They cannot perform Admin-only actions such as inviting users or changing organization settings. See [API Authentication](https://bluebricks.co/docs/api/authenticate/authentication) for details. {% endhint %} #### Other resources

Permission	Admin	Builder	Deployer	Viewer
View tasks	Yes	Yes	Yes	Yes
View rescue operations	Yes	Yes	Yes	Yes
View vendors	Yes	Yes	Yes	Yes

### Recommended role mapping for common teams

Team function	Recommended role
Platform / DevOps lead	Admin
Infrastructure engineer	Builder
Application developer (deploys only)	Deployer
CI/CD service account	Deployer
Engineering manager / stakeholder	Viewer
External auditor or reviewer	Guest

## Account roles vs. collection membership Bluebricks separates **what** a user can do (account-level role) from **where** they can do it ([collection membership](https://bluebricks.co/docs/core-concepts/collections/owners-and-members)). * **Account-level role**: Assigned in **Account Settings > Users**. Defines the user's permissions across the entire organization. A user has exactly one account role. * **Collection membership**: Assigned in **Collection Settings > Members**. Determines which collections a user can access and whether they are an owner or member of that collection. Both layers must align for a user to act on a resource. For example, a user with the Builder role can create packages, but they can only deploy to collections where they are an assigned member. {% hint style="info" icon="user-key" %} Admins can manage any collection, even if they are not listed as a member or owner of that collection. {% endhint %} ### How the layers work together

Scenario	Account role	Collection membership	Result
Platform lead needs full control	Admin	Owner	Full access to the organization
Engineer authors IaC for a team	Builder	Member	Can create and publish packages; can deploy to member collections
CI/CD pipeline deploys to production	Deployer	Member	Can run deployments in member collections; cannot modify packages or settings
Manager reviews infrastructure state	Viewer	Member	Can view all resources in member collections; cannot make changes
External reviewer checks a plan	Guest	n/a	Can view deployment plans only; no collection-level access needed

## What's next?

	Cover image
Set collection-level access in Owners and Members	Owners and Members.png	owners-and-members
Create governance rules for collections with policies	Policies.png	policies
Set up Single-Sign-On	SSO.png	setup-single-sign-on-sso
Set the CLI authentication	Authentication CLI.png	authentication
Learn about API token management	Authentication AI.png	https://bluebricks.co/docs/api/authenticate/authentication