Skip to content
docs

Members & Roles

Vygl’s RBAC has four roles in a strict hierarchy. Each role is a superset of the next: an owner has every admin permission, an admin has every member permission, and so on.

The roles

Section titled “The roles”
RolePermissions
OwnerEverything: change org settings, transfer ownership, change other members’ roles (including other owners), delete the org (when supported).
AdminMembers management, API keys, integrations, SCM and registry connections, custom rules, organizational memory, settings. Can’t change owner roles.
MemberCreate projects, run scans, triage findings, comment, read everything. Can’t manage members, API keys, or integrations.
ViewerRead-only. Can browse findings, scans, projects, but can’t triage, comment, or modify anything.

Roles apply organization-wide — Vygl doesn’t have per-project roles today. A member who can read findings reads all findings in their org. Large orgs needing strict per-team isolation should split into separate organizations.

Inviting a member

Section titled “Inviting a member”
  1. Open Settings → Members.
  2. Click Invite Member.
  3. Enter the invitee’s email and pick their role.
  4. Click Send Invite.

The invitee receives an email with a link valid for 7 days. Clicking it lands them on a sign-up page (or sign-in page if they already have a Vygl account) and adds them to the org with the chosen role.

Changing a role

Section titled “Changing a role”

From Settings → Members, click the role dropdown next to a member and pick the new role. Owners can change anyone’s role (including other owners). Admins can change member/viewer roles but can’t promote anyone to owner.

The new role takes effect on the user’s next API request — there’s no immediate session invalidation, so an in-flight JWT issued moments before the role change can still be used for up to 15 minutes (the access-token TTL).

Removing a member

Section titled “Removing a member”

From Settings → Members, click the menu next to a member and choose Remove. The user loses org access immediately for new requests. If the member belongs to other organizations, those memberships are unaffected.

API keys vs roles

Section titled “API keys vs roles”

API keys have their own permission system — scopes — which is separate from a user’s role. A key can have narrow permissions like scan:write (can submit scans, can’t read findings) regardless of who created it. See API Keys for the scope list.

Audit trail

Section titled “Audit trail”

Every membership change emits an audit event:

  • member.invite — admin sent an invite
  • member.accept — invitee joined the org
  • member.role_change — role was updated
  • member.remove — member was removed

See Audit Log for how to query these.