Permissions & RBAC

Bizon Platform uses role-based access control (RBAC) with support for domain-level permission overrides.

Roles

Four organization-level roles from highest to lowest privilege:

Role	Description
Owner	Full access, can transfer ownership, cannot be removed
Admin	Full access except ownership transfer
Member	Create/edit pipelines and connectors
Viewer	Read-only access to all resources

Permission Matrix

Permission	Owner	Admin	Member	Viewer
View pipelines	Yes	Yes	Yes	Yes
Create pipelines	Yes	Yes	Yes	No
Edit pipelines	Yes	Yes	Yes	No
Delete pipelines	Yes	Yes	No	No
Run pipelines	Yes	Yes	Yes	No
Manage connectors	Yes	Yes	Yes	No
Create domains	Yes	Yes	No	No
Invite users	Yes	Yes	No	No
Manage roles	Yes	Yes	No	No
Manage API keys	Yes	Yes	No	No
Delete organization	Yes	No	No	No

Assigning Roles

When Inviting

Set role during invitation:

{
  "email": "user@example.com",
  "role": "member"
}

Changing Roles

Update an existing member’s role:

UI

Settings > Members > Click member > Change role

API

curl -X PUT http://localhost:8000/api/users/{id}/role \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"role": "admin"}'

Rules:

• Cannot assign owner role (use ownership transfer)
• Admins cannot change other admins’ roles
• Cannot demote the owner

Domain Role Overrides

Grant elevated permissions within specific domains without changing org-level role.

Use Case

A viewer who needs member access to the Marketing domain:

Org Role: viewer (read-only everywhere)
Domain Override: member in Marketing (can create/edit there)

Creating Overrides

UI

Settings > Members > Select user > Domain Permissions > Add Override

API

curl -X POST http://localhost:8000/api/users/{id}/domain-roles \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "domain_id": "marketing-uuid",
    "role": "admin"
  }'

Override Rules

1. Elevation only - Can only elevate, never demote
2. Limited roles - Only admin or member (never owner)
3. Admin restriction - Admins cannot grant admin overrides (only owner can)
4. One per domain - One override per user per domain

Effective Permission

The effective permission is the maximum of:

• Organization role
• Domain role override (if exists)

org_role=viewer + domain_override=member → effective=member (in that domain)
org_role=admin + domain_override=member → effective=admin (override ignored)

Multi-tenancy

Organization Isolation

• All data is scoped to organizations
• Users cannot see other organizations’ data
• Cross-organization access is not possible

Multiple Organizations

Users can belong to multiple organizations:

1. Accept invitation to another org
2. Switch organizations in the UI
3. Tokens are scoped to one org at a time

API Key Permissions

API keys inherit the creator’s permissions:

Creator Role	API Key Access
Owner	Full access
Admin	Full access (except ownership)
Member	Create/edit resources
Viewer	Read-only

Permission Checks

Endpoints use permission guards:

@router.post("/pipelines")
async def create_pipeline(
    org_ctx: OrgContext = Depends(require_permission(Permission.PIPELINES_WRITE))
):
    # Only executes if user has PIPELINES_WRITE permission
    ...

Troubleshooting

”Forbidden” Errors

1. Check role - Verify your org-level role
2. Check domain - For domain resources, check override
3. Check resource - Ensure resource belongs to your org

Cannot Change Role

• You cannot change your own role
• Admins cannot modify other admins
• Owner role requires ownership transfer

Missing Permissions

Contact your organization owner or admin to:

• Upgrade your role
• Add domain-specific overrides