Role-Based Access Control
Overview
ASD uses role-based access control (RBAC) to manage what users can do within an organisation. Every organisation member has exactly one role, and that role determines their permissions across the platform.
Roles
ASD defines four organisation-level roles:
| Role | Purpose |
|---|---|
| Owner | Full control over the organisation. Can delete the org, manage billing, and transfer ownership. |
| Admin | Day-to-day management. Can invite members, create teams, and manage tunnel configurations. |
| Finance | Billing and subscription management. Can view invoices, manage payment methods, and change plans. |
| Member | Standard access. Can use tunnels, view team resources, and manage their own settings. |
Each organisation has exactly one owner. The owner role cannot be removed βonly transferred to another member.
Permission Matrix
| Action | Owner | Admin | Finance | Member |
|---|---|---|---|---|
| View organisation dashboard | Yes | Yes | Yes | Yes |
| Use tunnels | Yes | Yes | No | Yes |
| View team members | Yes | Yes | Yes | Yes |
| Create teams | Yes | Yes | No | No |
| Delete teams | Yes | Yes | No | No |
| Invite members | Yes | Yes | No | No |
| Remove members | Yes | Yes | No | No |
| Change member roles | Yes | Yes | No | No |
| Create API keys | Yes | Yes | Yes | Yes |
| Manage tunnel configs | Yes | Yes | No | No |
| View billing | Yes | Yes | Yes | No |
| Manage subscriptions | Yes | Yes | Yes | No |
| Change org settings | Yes | Yes | No | No |
| Delete organisation | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No |
How Roles Are Assigned
- During onboarding β you automatically become the owner of any organisation you create
- Via invitation β when you invite a new member, you select their role (see Invitations)
- Role changes β owners and admins can change a memberβs role from the organisation settings
Enforcement
RBAC is enforced at multiple levels:
Database Level
Row Level Security (RLS) policies on every table ensure you can only access data within organisations you belong to. Your role determines which rows you can read and modify.
Application Level
Every dashboard action and API request validates your session and checks your organisation role before proceeding. If you do not have the required role, the request is rejected.
API Key Level
API keys are scoped to the organisation that created them. When you create an API key, it inherits the permissions of your current role.
Related Guides
- Organisations β organisation model and hierarchy
- Invitations β how roles are assigned during invitation
- Security β authentication and tunnel security