Skip to Content
OrganizationsRoles & Permissions

Roles & Permissions

OpenFactory uses role-based access control (RBAC) at every organizational level.

Role Hierarchy

Organization Level
├── owner
├── admin
└── member

Unit Level
├── unit_admin
├── base_creator
├── base_approver
└── member

Team Level
├── team_lead
├── variant_creator
├── variant_deployer
└── variant_viewer

Organization Roles

Owner

Full control over the organization.

PermissionAccess
Delete organization
Transfer ownership
Manage all members
Manage all settings
Create/delete units
All admin permissions

Note: There is exactly one owner per organization. Ownership can be transferred but not shared.

Admin

Administrative access without full ownership.

PermissionAccess
Invite/remove members
Change member roles
Create/delete units
Create/delete groups
View organization stats
Manage sharing settings

Member

Standard organization membership.

PermissionAccess
View organization
Participate in units/teams
Create builds
Share within org

Unit Roles

Unit Admin

Full control over a unit.

PermissionAccess
Manage unit members
Create/delete teams
Approve base images
Create base images
All base operations

Base Creator

Create and manage base images (golden images).

PermissionAccess
Create base variants
Edit base variants
Submit for approval
View unit resources

Base Approver

Approve base images for deployment.

PermissionAccess
Approve base variants
Reject submissions
View pending approvals
View unit resources

Member

Basic unit membership.

PermissionAccess
View unit resources
Participate in teams
Use approved bases

Team Roles

Team Lead

Full control over a team.

PermissionAccess
Manage team members
Share outside team
Approve deployments
All variant permissions

Variant Creator

Create and modify variant configurations.

PermissionAccess
Create variants
Edit own variants
Edit shared variants
Submit for deployment

Variant Deployer

Deploy variants to builds.

PermissionAccess
Deploy approved variants
Trigger builds
View deployment history

Variant Viewer

Read-only access to team variants.

PermissionAccess
View team variants
View build results
Download ISOs

Permission Matrix

Organization Operations

OperationOwnerAdminMember
Delete org--
Transfer ownership--
Manage admins--
Manage members-
Create units-
Create groups-
View stats-
Create builds

Unit Operations

OperationUnit AdminBase CreatorBase ApproverMember
Manage members---
Create teams---
Create base--
Approve base--
Use base

Team Operations

OperationTeam LeadCreatorDeployerViewer
Manage members---
Share externally---
Create variant--
Deploy variant--
View variant

Role Badges

Roles are displayed with color-coded badges in the UI:

RoleColor
ownerRed
adminOrange
unit_adminPurple
base_creatorBlue
base_approverGreen
team_leadIndigo
variant_creatorCyan
variant_deployerTeal
viewer/memberGray

Changing Roles

At Organization Level

  1. Go to organization settings
  2. Open Members tab
  3. Click member’s current role
  4. Select new role
  5. Save changes

At Unit/Team Level

Same process within unit or team settings.

Role Inheritance

Higher roles inherit lower role permissions:

  • owner has all admin permissions
  • admin has all member permissions
  • unit_admin has all unit member permissions
  • team_lead has all team member permissions

Best Practices

  1. Least privilege - Assign minimum necessary permissions
  2. Regular audits - Review role assignments periodically
  3. Document decisions - Track why roles were assigned
  4. Use groups - Simplify management with groups
  5. Separate concerns - Use units to isolate responsibilities
OrganizationsSharing