Authorization
This guide explains what actions each role can perform in Massdriver. Permissions are organized by role, with each role having specific capabilities within the platform.
Role Hierarchy​
Organization Owner (account owner)
└─ Full access to everything in the organization
Organization Admin/Manager
└─ Can manage organization settings and all resources
└─ Automatically has admin access to all projects
Organization Viewer
└─ Can view organization resources
└─ Can only access projects where explicitly granted via groups
Project Admin/Manager
└─ Can manage specific projects and their resources
└─ Granted explicitly via group access
Project Viewer
└─ Can view specific projects and their resources
└─ Granted explicitly via group access
Organization Owner​
The account that owns the organization has full, unrestricted access to all resources and operations within that organization, regardless of other role assignments.
Organization Admin​
Organization Admins can manage the organization and have elevated access to all projects automatically.
Organization Management​
- Integrations
- View, enable, and disable integrations
- Manage AWS Cost and Usage Reports
- Team & Access
- Create, update, and delete groups
- Create and send group invitations
- Delete group invitations
- Add and remove service accounts from groups
- Delete organization members
- Create, deactivate, reactivate, and delete service accounts
- Bundles & Catalog
- Add bundles to catalog
- Manage bundle source code (for private bundles)
- Delete bundles
- Artifact Definitions
- Publish artifact definitions
- Delete artifact definitions
- Projects
- View all projects in the organization (automatic)
- Create new projects
- Full admin access to all projects (see Project Admin section)
- Artifacts & Credentials
- Create artifacts (when not using a deployment context)
- Delete artifacts (imported)
- Update artifacts (imported)
- Assign cloud cost credentials
- Dismiss cloud cost credentials
- Download artifacts
- View and manage container repositories
- Audit & Compliance
- View audit log
- View audit logs
Organization Viewer​
Organization Viewers can view organization resources but have limited management capabilities. They can only access projects where they've been explicitly granted access via groups.
What Organization Viewers Can Do​
View Organization Resources
- View organization details
- View groups
- View service accounts
- View and filter artifacts
- View artifact definitions
- View defaultable environment connection groups
- View repos (OCI repositories)
Bundles & Manifests
- View bundles
- Create manifests from bundles
Artifacts
- View artifacts
- Assign remote references (connect artifacts to packages)
- Disconnect imported resources from artifacts
- View importable resources from artifacts
- Import resources from artifacts
Service Account Management (Limited)
- View service accounts
- Add service accounts to groups (view permission)
- Remove service accounts from groups (view permission)
Project Admin​
Project Admins can manage specific projects and all resources within those projects. There are two ways to become a Project Admin:
- Automatic: Organization Admins automatically have admin access to all projects
- Explicit: Users granted admin access via group permissions
What Project Admins Can Do​
- Project Management
- View project details
- Update project settings
- Delete project
- Environments
- Create environments
- Update environments
- Delete environments
- Deploy environments
- Decommission environments
- Compare environments
- Deploy preview environments
- Decommission preview environments
- Environment Connections
- Create environment connections
- Delete environment connections
- Packages (Infrastructure Resources)
- View packages
- Get packages by naming convention
- Configure packages
- Set package version
- Reset package
- Plan package changes
- Deploy packages
- Decommission packages
- View deployments
- Compare deployments
- Set package secrets
- Unset package secrets
- View metrics and time series data
- Manifests (Canvas Components)
- View manifests
- Create manifests
- Update manifests
- Delete manifests
- Link manifests
- Unlink manifests
- Set manifest position
- Recommend manifest dependencies
- Resource Management
- Import resources
- Disconnect imported resources
- Assign remote references
- Unset remote references
- Project Groups & Access
- Grant group access to project
- Revoke group access from project
- Observability
- View nodes (canvas view)
- View node contexts
- View links (connections between manifests)
- View link contexts
Service Accounts​
Service accounts with project admin access can additionally:
- Manage state (read and write Terraform state)
- Create, update, and delete package alarms
Project Viewer​
Project Viewers can view project resources but cannot make changes. Users become Project Viewers through explicit group access grants.
What Project Viewers Can Do​
- Project Viewing
- View project details
- View organization details (of the project's org)
- Environments
- View environment details
- Compare environments
- View link contexts
- View node contexts
- Packages
- View packages
- Get packages by naming convention
- View deployments
- View deployment logs (streams)
- View metrics and time series data
- Manifests
- View manifests
- Canvas & Visualization
- View nodes
- View node contexts
- View links
- View link contexts
- Receive real-time updates (subscriptions):
- Node created, updated, deleted
- Link created, updated, deleted
- Link context created, updated, deleted
- Node context created, deleted
Special Contexts​
Deployment Context​
When operations are performed by a deployment (infrastructure provisioning), special permissions apply:
- Deployments can:
- View bundle source code for bundles in their organization
- Create artifacts in their organization
- Delete artifacts they created
- Update artifacts in their organization
- Manage state for their own package
- Read state from other packages in the same environment
- Create, update, delete, and view alarms for their own package
- Update their own deployment status
Service Account Context​
Service accounts with appropriate project access can:
- Read and manage state for any package in projects they can manage
- Create, update, delete, and view package alarms in projects they can manage
Key Permission Concepts​
Permission Boundaries​
Permissions are checked at the boundary level:
- Organization boundary: Permissions apply to org-level resources
- Project boundary: Permissions apply to project-level resources and below
- Account boundary: Applies to personal resources like group invitations
Manage vs. View​
- Manage (
manage): Full control including create, update, delete operations - View (
view): Read-only access to resources and their details
Common Scenarios​
"I can't see a project"​
- If you're an Organization Viewer: You need to be added to a group that has access to the project
- If you're an Organization Admin: You should be able to see all projects automatically
"I can't deploy infrastructure"​
- You need Project Admin permissions to deploy packages
- Organization Viewers cannot deploy even if they can view the project
"I can't create a project"​
- You need Organization Admin permissions to create projects
- Organization Viewers cannot create projects
"I can't see audit logs"​
- Only Organization Admins can view audit logs
- This is a compliance and security feature
"A deployment failed with unauthorized"​
- Check that the service account used has appropriate project access
- Ensure the deployment context matches the resource being accessed
- Deployments can only manage their own package's state