Roles and permissions

As a quick recap, access control and management in OrgFlow is based on the following concepts:

  • All customer data is contained in workspaces
  • Users sign in using individual user accounts which contains credentials and profile settings
  • A user can be a member of zero or more workspaces, and a workspace can have zero or more members
  • A workspace always has exactly one owner user, and a user can be an owner of zero or more workspaces
  • Each member of a workspace has a role in that workspace
  • There is a fixed set of predefined roles, each with a distinct set of permissions
  • Each permission allows the member to carry out certain operations in the workspace
  • The same user can have different roles and permissions in different workspaces (since they are separate members)

For more in-depth information about users and members in workspaces, see users and members.

Built-in roles

The following built-in roles are available in OrgFlow:

RoleSummary
ReaderCan view everything in the workspace (except secrets), and start jobs that don't mutate any state
OperatorCan also create new objects, and do anything with own objects (including delete)
ContributorCan also do anything with others' objects (except delete)
AdministratorCan also delete others' objects, and manage members and invitations

Roles in the list are ordered by level of access, from lowest to highest. Each role implies the permissions of the ones before it.

Permissions

The following table shows all permissions in OrgFlow and which roles include them:

PermissionReaderOperatorContributorAdministrator
Read workspace
Update workspace
Change workspace owner
Delete workspace
Read CLI access key
Create new invitation
Extend invitation
Read invitation token
Delete invitation
Manage role assignments
Remove member
Read billing information
Create new stack
Initialize any stack
Initialize own stack
Update any stack
Update own stack
Delete any stack
Delete own stack
Read encryption key for any stack
Read encryption key for own stack
Create new environment
Use existing Git branch when creating new environment
Use existing Salesforce org when creating new environment
Update any environment
Update own environment
Run Apex tests in any environment
Run Apex tests in own environment
Push commits to any environment's Git branch
Push commits to own environment's Git branch
Force push to any environment's Git branch
Force push to own environment's Git branch
Deploy to any environment's Salesforce org
Deploy to own environment's Salesforce org
Merge into any environment
Merge into own environment
Delete any environment
Delete any environment's Git branch
Delete any environment's Salesforce org
Delete own environment
Create schedule
Update any schedule
Update own schedule
Delete any schedule
Delete own schedule
Start job
Subscribe to job progress data
Cancel any job
Cancel own job
Download any artifact in any job
Download any artifact in own job
Download output artifact in any job
Download output artifact in own job
Delete artifact in any job
Delete artifact in own job
Answer inquiry in any job
Answer inquiry in own job
Modify merge conflict in any job
Modify merge conflict in own job

Owner permissions

A workspace owner automatically has all permissions for that workspace.

© 2021-2025 All rights reserved. OrgFlow® is a registered trademark in the European Union.