search
API ReferenceKnowledge BaseDownload CLILoginBook a Demo

Roles and Permissions

Understand permissions for each role in your account

hashtag
Overview

Bluebricks uses role-based access control (RBAC) to govern who can do what across your organization. Every user is assigned one account-level role that determines their permissions for all resources: clouds, collections, packages, environments, secrets, webhooks, and more.

bookmark

Account-level roles control what a user can do. Collection membership controls where they can do it. See Owners and Members for collection-level access.

hashtag
Roles

Bluebricks defines five roles, ordered from most to least privileged: Admin, Builder, Deployer, Viewer, and Guest.

Read more about each role:

Admins have full access to every resource and action in the organization. Admins manage users, configure organization settings, create API keys, and govern all collections, packages, and environments.

Assign this role to platform team leads and organization owners.

circle-info

New users who log in without a pre-assigned role are automatically assigned the Deployer role.

hashtag
How to invite new users or change roles

Users are managed via Account Settings > Usersarrow-up-right from there you can invite, change role or remove someone.

user-key

Only Admins can invite users and change roles.

chevron-rightInvite new usershashtag

To invite a new user from account settings:

  1. Click Invite user

  2. Add the new user's email

  3. Select the desired role from the dropdown

  4. Click Invite

chevron-rightChange role of existing usehashtag

To change a users role from account settings:

  1. Find the user's name in Account Settings > User

  2. In the dropdown menu, select their new role

chevron-rightRemove userhashtag

To remove a user from account settings:

  1. Find the user's name in Account Settings > User

  2. Click the three-dot menu > click remove

chevron-rightAdd a guesthashtag

The Guest role cannot be assigned manually through the invite flow.

hashtag
What each role can do

The tables below show every permission and which roles include it.

hashtag
Cloud accounts

Permission
Admin
Builder
Deployer
Viewer
Guest

Create cloud accounts

Yes

Yes

View cloud accounts

Yes

Yes

Yes

Yes

Delete cloud accounts

Yes

Yes

hashtag
Collections

Permission
Admin
Builder
Deployer
Viewer
Guest

Create collections

Yes

Yes

View collections

Yes

Yes

Yes

Yes

Update collections

Yes

Yes

Delete collections

Yes

Yes

hashtag
Packages (artifacts and blueprints)

Permission
Admin
Builder
Deployer
Viewer
Guest

Create packages

Yes

Yes

View packages

Yes

Yes

Yes

Yes

Update packages

Yes

Yes

Delete packages

Yes

Yes

hashtag
Environments and runs

Permission
Admin
Builder
Deployer
Viewer
Guest

Create environments

Yes

Yes

Yes

View environments

Yes

Yes

Yes

Yes

View run plans

Yes

Yes

Yes

Yes

Yes

Approve and apply runs

Yes

Yes

Yes

hashtag
Secrets

Permission
Admin
Builder
Deployer
Viewer
Guest

Create secrets

Yes

Yes

View secrets

Yes

Yes

Yes

Yes

Update secrets

Yes

Yes

Delete secrets

Yes

Yes

hashtag
Webhooks

Permission
Admin
Builder
Deployer
Viewer
Guest

Create webhooks

Yes

Yes

View webhooks

Yes

Yes

Yes

Yes

Update webhooks

Yes

Yes

Delete webhooks

Yes

Yes

hashtag
Users

Permission
Admin
Builder
Deployer
Viewer
Guest

Invite users

Yes

View users

Yes

Yes

Yes

Yes

Update user roles

Yes

Remove users

Yes

hashtag
Organization and API keys

Permission
Admin
Builder
Deployer
Viewer
Guest

View organization

Yes

Yes

Yes

Yes

Update organization settings

Yes

Create API keys

Yes

View API keys

Yes

Update API keys

Yes

hashtag
Other resources

Permission
Admin
Builder
Deployer
Viewer
Guest

View tasks

Yes

Yes

Yes

Yes

View rescue operations

Yes

Yes

Yes

Yes

View vendors

Yes

Yes

Yes

Yes

hashtag
Recommended role mapping for common teams

Team function
Recommended role

Platform / DevOps lead

Admin

Infrastructure engineer

Builder

Application developer (deploys only)

Deployer

CI/CD service account

Deployer

Engineering manager / stakeholder

Viewer

External auditor or reviewer

Guest

hashtag
Account roles vs. collection membership

Bluebricks separates what a user can do (account-level role) from where they can do it (collection membership).

  • Account-level role: Assigned in Account Settings > Users. Defines the user's permissions across the entire organization. A user has exactly one account role.

  • Collection membership: Assigned in Collection Settings > Members. Determines which collections a user can access and whether they are an owner or member of that collection.

Both layers must align for a user to act on a resource. For example, a user with the Builder role can create packages, but they can only deploy to collections where they are an assigned member.

user-key

Admins can manage any collection, even if they are not listed as a member or owner of that collection.

hashtag
How the layers work together

Scenario
Account role
Collection membership
Result

Platform lead needs full control

Admin

Owner

Full access to the organization

Engineer authors IaC for a team

Builder

Member

Can create and publish packages; can deploy to member collections

CI/CD pipeline deploys to production

Deployer

Member

Can run deployments in member collections; cannot modify packages or settings

Manager reviews infrastructure state

Viewer

Member

Can view all resources in member collections; cannot make changes

External reviewer checks a plan

Guest

n/a

Can view deployment plans only; no collection-level access needed

hashtag
What's next?

Cover

Set collection-level access in Owners and Members

Cover

Create governance rules for collections with policies

Cover

Set up Single-Sign-On

Cover

Set the CLI authentication

Cover

Learn about API token management

PreviousRegistration and AuthenticationNextNetwork Access Requirements

Last updated

Was this helpful?