Skip to main content
Your organization role — Owner, Admin, or Member — scopes what you can do inside your organization. Every action you take is checked against your role. If your role doesn’t permit something, the control affecting it is hidden or disabled in the UI, and the request is refused.

Organization roles

Each member of an organization holds exactly one role. To act in two organizations with different permissions, you need a separate membership in each.
RoleWhat they can do
OwnerEverything below, plus: assign the Admin role and remove any non-owner member. Each user can own only one organization.
AdminConnect executors and deploy, configure, upgrade, and delete nodes. Manage API keys. Configure notifications and labels. Invite Members, change a member’s role to Member, and act on members (block, restore).
MemberRead-only access to everything in the organization: executors, nodes, metrics, logs, audit events, releases, labels, and notification settings.
Roles are ranked: Owner > Admin > Member. A higher role can do everything a lower one can.

Who can manage whom

Member management lives on the Members page.
  • Owners can invite Members and Admins, change any non-owner’s role, and remove any non-owner member.
  • Admins can invite Members and act on existing Members. They cannot grant the Admin role, change an Admin’s role, or remove a member — those are owner-only.
  • No one can change or remove an Owner through the UI. A user can own only one organization at a time.
The role picker and member actions you see are filtered to what your role allows, so the table above is also exactly what the UI offers you.

How access is enforced

  • People sign in through the browser; your session carries your organization role.
  • Executors authenticate with an organization-scoped API key (prefixed exc_), created in the Connect an executor flow. An API key can only sync executor state — it can’t act as a person or read across organizations.
  • Tenant isolation. Every read and write is scoped to your active organization. A request for data outside it returns nothing rather than leaking another org’s rows.