Roles & Permissions (RBAC)
Owner / Admin / Member / Viewer at organization and project layers. Full permission matrix, invitation states, seat limits, audit logs.
Roles & Permissions
AegisRunner uses role-based access control at two layers: organization (your whole workspace) and project (one website). A user can have different roles in different projects of the same organization, with the org-level role acting as the floor.
The four roles
| Role | What they can do |
|---|---|
| Owner | Everything — billing, deleting projects, deleting the workspace itself. One per organization. |
| Admin | Manages projects, members, settings. Cannot touch billing or delete the workspace. |
| Member | Day-to-day work — runs scans and tests, edits suites, views results in their projects. |
| Viewer | Read-only across the projects they're added to. |
Two layers
Organization roles
Set when someone is invited to the organization. Org Owners and Admins are auto-promoted into every project as Owner and Admin respectively — no need to add them per project.
Project roles
Set when someone is added to a specific project. Org Members and Viewers don't get any project access by default; they need to be explicitly added.
How they combine
The user's effective role on a project is the highest of:
- Their org role (Owner / Admin auto-grant).
- Their explicit project role.
You can't downgrade an Org Owner inside a project — they remain a Project Owner everywhere.
Organization permissions
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Manage billing & subscription | ✓ | — | — | — |
| Delete the workspace | ✓ | — | — | — |
| Edit organization settings | ✓ | ✓ | — | — |
| Invite / remove members | ✓ | ✓ | — | — |
| Change member roles | ✓ | ✓ | — | — |
| Configure SSO / SAML | ✓ | ✓ | — | — |
| View audit logs | ✓ | ✓ | — | — |
| View workspace dashboard | ✓ | ✓ | ✓ | ✓ |
Project permissions
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Create new project | ✓ | ✓ | — | — |
| Delete project | ✓ | — | — | — |
| Edit project settings (name, base URL, login script) | ✓ | ✓ | — | — |
| Add / remove project members | ✓ | ✓ | — | — |
| Configure integrations (CI tokens, webhooks) | ✓ | ✓ | — | — |
| Manage test environments | ✓ | ✓ | — | — |
| Manage tokens / cookies / headers | ✓ | ✓ | — | — |
| Set / clear baseline | ✓ | ✓ | — | — |
| Start scans | ✓ | ✓ | ✓ | — |
| Run test suites | ✓ | ✓ | ✓ | — |
| Create / edit / delete test suites | ✓ | ✓ | ✓ | — |
| Accept / reject visual regression diffs | ✓ | ✓ | ✓ | — |
| View scan results | ✓ | ✓ | ✓ | ✓ |
| View test runs | ✓ | ✓ | ✓ | ✓ |
| Export Playwright code (Pro+) | ✓ | ✓ | ✓ | ✓ |
Inviting people
Owners and Admins (org or project) can send invitations. Two flows:
Organization-wide
- Go to Settings → Team.
- Click Invite.
- Enter email, choose org role, optionally pre-add to projects.
- An invitation email goes out, valid for 7 days.
Project-only
- Open the project, go to the Team tab.
- Click Add Member.
- Pick an existing org member and assign a project role, or invite a new email.
Invitation states
| State | What it means |
|---|---|
| Pending | Email sent, waiting for the recipient to accept. |
| Accepted | User clicked the link and joined. |
| Declined | User explicitly declined. |
| Expired | 7 days passed without action. Re-invite if still wanted. |
| Revoked | An admin cancelled the invite before it was accepted. |
Changing someone's role
From Settings → Team (org level) or the Team tab (project level), click the role dropdown next to a member and pick a new role. Takes effect immediately.
You can't demote yourself below your current role unless another Owner exists. The system enforces at least one Org Owner at all times.
Removing someone
Admins and Owners can remove members. Removed members lose access immediately. Their previously created scans, test edits, and run history remain attributed to them in audit logs.
Plan limits
| Plan | Workspace seats |
|---|---|
| Free | 1 |
| Starter | 1 |
| Pro | 5 |
| Business | 15 |
| Enterprise | Unlimited |
Pending invitations don't count toward your seat limit until accepted. Hitting the cap blocks new invites — upgrade or remove inactive members.
Audit logs Pro+
Pro and above get an audit log of every meaningful action: who created what, who changed a role, who accepted a baseline. Useful for SOC 2 reviews, security investigations, or just figuring out who broke staging at 3am.
View under Settings → Audit Log. Filter by user, action type, severity, and date range.
SSO and SAML Business+
Business and Enterprise plans support SAML SSO with JIT provisioning. Configure under Settings → SSO. See SSO / SAML Setup.
Common questions
Can a Project Owner edit billing?
Only if they're also Org Owner. Project Owner is scoped to one project; billing is org-level.
Why can't I see the Team tab in a project?
Members and Viewers see the team list but can't manage it. Admins and Owners see the management actions.
I want a project where some people can run tests but not edit them.
The current four-role model groups "run tests" and "edit suites" together as Member-level. If you need stricter separation, use SSO group mappings on Enterprise to gate suite-edit privileges.
Related
- Team Management — managing members and seats day-to-day.
- SSO / SAML Setup
- Two-Factor Authentication
- Managing Projects