Skip to main content

Authorization

This documentation provides an overview of the roles within Massdriver and the corresponding permissions for each role regarding GraphQL operations.

Roles

Organization Viewer

All organization members are granted the "organization viewer" role, allowing them to:

  • acceptGroupInvitation
  • addServiceAccountToGroup
  • applicationBundleTemplates
  • artifactDefinition
  • artifactDefinitions
  • artifact
  • artifacts
  • cloudDnsZones
  • cloud
  • compareEnvironments
  • containerRepositories
  • containerRepository
  • createApplicationBundle
  • defaultableEnvironmentConnectionGroups
  • dnsZones
  • environment
  • filterArtifactsByType
  • getPackageByNamingConvention
  • group
  • groups
  • importableResources
  • instanceTypes
  • manifest
  • metricTimeSeries
  • organization
  • package
  • project
  • projects

Organization Admin

In addition to the organization viewer permissions, "organization admin" can perform:

  • addServiceAccountToGroup
  • artifactDefinition
  • auditLogs
  • billingSubscription
  • bundle
  • connectDnsZone
  • createArtifact
  • createDnsZone
  • createEnvironmentConnection
  • createGroupInvitation
  • createGroup
  • createManifest
  • createSubscriptionManagementSession
  • deactivateServiceAccount
  • deleteArtifact
  • deleteBundle
  • deleteGroupInvitation
  • deleteGroupMembership
  • deleteGroup
  • deleteOrganizationMember
  • deleteServiceAccount
  • disconnectDnsZone
  • grantGroupAccess
  • publishArtifactDefinition
  • publishBundle
  • reactivateServiceAccount
  • removeServiceAccountFromGroup
  • serviceAccounts
  • updateGroup

Project Viewer

"Project viewer" roles allow views on specific project-related GraphQL operations:

  • assignRemoteReference
  • compareDeployments
  • deployPreviewEnvironment
  • deployment
  • deployments
  • environment
  • disconnectImportedResources
  • downloadArtifact
  • getPackageByNamingConvention
  • grantGroupAccess
  • importResources
  • importableResources
  • instanceTypes
  • manifest
  • metricTimeSeries
  • package
  • watchMetric

Project Admin

In addition to the project viewer permissions, a "project admin" can:

  • assignRemoteReference
  • configurePackage
  • createEnvironmentConnection
  • createEnvironment
  • createImportableManifest
  • createManifest
  • createProject
  • createServiceAccount
  • createWatchedMetricPackageAlarm
  • decommissionPackage
  • decommissionPreviewEnvironment
  • deleteEnvironmentConnection
  • deleteEnvironment
  • deleteManifest
  • deleteProject
  • deleteWatchedMetricPackageAlarm
  • deployPackage
  • disconnectImportedResources
  • linkManifests
  • setDefaultSecretForPreviewEnvironments
  • setManifestPosition
  • setPackageSecret
  • unsetDefaultSecretForPreviewEnvironments
  • unsetPackageSecret
  • unlinkManifests
  • unsetRemoteReference
  • unwatchMetric
  • updateArtifact
  • updateEnvironment
  • updateManifest
  • updateProject
  • watchMetricAndCreatePackageAlarm
  • createWatchedMetricPackageAlarm

Authorization Rule Details

All resources in Massdriver roll up to either an organizational or project boundary. Specific permissions on GraphQL operations are contingent on the boundary and role of the user in relation to that boundary.