Roles and Permissions
Configure RBAC with default roles, custom roles, and granular permission management.
oCore uses Role-Based Access Control (RBAC) to manage permissions across your organization. Every member is assigned a role, and each role has a set of permissions that control what the member can do. oCore provides four built-in system roles and supports creating custom roles for fine-grained access control.
Roles Management
View and manage roles and permissions for your organization.
Default Roles
Every organization starts with four system roles that cannot be deleted:
| Role | Description | Typical Use |
|---|---|---|
| Owner | Full access to everything, including destructive operations | Organization creator, primary administrator |
| Admin | Manage teams, roles, servers, and platform settings | IT administrators, DevOps leads |
| Developer | Manage instances, projects, deployments, and environments | Developers, Odoo consultants |
| Viewer | Read-only access to all resources | Stakeholders, auditors, clients |
Owner Role
The Owner has all permissions and is the only role that can:
- Delete the organization
- Transfer ownership
- Access disaster recovery exports
System Roles
System roles (Owner, Admin, Developer, Viewer) are created automatically when an organization is set up. Their permissions can be viewed but not modified. For customized permission sets, create a custom role.
Permission Model
How Permissions Work
Each permission is defined by an action and a resource:
- Action -- What operation is being performed:
viewormanage - Resource -- What entity the permission applies to:
servers,instances,members, etc.
The manage action always includes view -- if you can manage a resource, you can also view it.
Permission Matrix
| Resource | view | manage | Description |
|---|---|---|---|
servers | View server list and details | Add, update, delete servers | Infrastructure management |
instances | View instance list and details | Create, control, delete instances | Instance lifecycle |
projects | View projects and settings | Create, update, delete projects | Project management |
environments | View environments, backups, snapshots | Create, deploy, backup, restore | Environment lifecycle |
deployments | View deployment history | Trigger deployments, rollback | CI/CD pipeline |
members | View member list | Invite, change roles, remove | Team management |
roles | View roles and permissions | Create, update, delete custom roles | Access control |
org_settings | View organization settings | Update settings, DNS config, subscriptions | Platform configuration |
agency | View agency clients and config | Enable agency mode, manage clients | Agency features |
templates | View templates | Create, update, delete templates | Instance templates |
topologies | View topology maps | Create, update, deploy topologies | Infrastructure topology |
bulk_ops | View bulk operations | Initiate and retry bulk operations | Bulk management |
api_keys | View API keys | Create, revoke API keys | Programmatic access |
audit_logs | View audit logs | N/A (audit logs are read-only) | Compliance |
webhook_endpoints | View webhook endpoints | Create, update, delete endpoints | Event notifications |
ssh_keys | View SSH keys | Add, remove SSH keys | SSH access |
Default Role Permissions
Owner -- All permissions (view + manage on every resource)
Admin -- All permissions except:
- Cannot delete the organization
- Cannot transfer ownership
Developer:
view+manage: servers, instances, projects, environments, deployments, templatesview: members, roles, org_settings, audit_logs- No access to: agency, bulk_ops (manage), roles (manage), members (manage)
Viewer:
viewonly on: servers, instances, projects, environments, deployments, members, audit_logs- No
managepermissions on any resource
Custom Roles
Create custom roles to define exactly which permissions a group of members should have.
Creating a Custom Role
Navigate to Settings > Roles and click Create Role.
Enter a name and description for the role (max 50 characters for name).
Select the permissions to assign from the available list.
Click Create. The role is immediately available for assignment.
curl -X POST https://ocore.example.com/api/roles \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Deploy Manager",
"description": "Can deploy code and manage environments",
"permissionIds": ["PERM_UUID_1", "PERM_UUID_2", "PERM_UUID_3"]
}'ocore role create \
--name "Deploy Manager" \
--description "Can deploy code and manage environments" \
--permissions PERM_UUID_1,PERM_UUID_2,PERM_UUID_3Listing Available Permissions
Fetch the complete list of permissions to select from when creating a custom role:
curl https://ocore.example.com/api/permissions \
-H "Authorization: Bearer $TOKEN"Each permission includes:
id-- UUID for use in role creationaction--viewormanageresource-- The resource namedescription-- Human-readable explanation
Updating a Custom Role
curl -X PUT https://ocore.example.com/api/roles/{roleId} \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Senior Deploy Manager",
"description": "Updated description",
"permissionIds": ["PERM_UUID_1", "PERM_UUID_2", "PERM_UUID_3", "PERM_UUID_4"]
}'Immediate Effect
When you update a role's permissions, all members with that role are affected immediately. Their next API request will be evaluated against the new permission set.
Deleting a Custom Role
curl -X DELETE https://ocore.example.com/api/roles/{roleId} \
-H "Authorization: Bearer $TOKEN"Reassign Members First
You cannot delete a role that has members assigned to it. Reassign those members to another role first.
Role Assignment
Assign roles to members during invitation or update them later:
# During invitation
curl -X POST https://ocore.example.com/api/members/invite \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "developer@example.com",
"roleId": "ROLE_UUID"
}'
# Update existing member's role
curl -X PUT https://ocore.example.com/api/members/{memberId}/role \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"roleId": "NEW_ROLE_UUID"}'See Team Management for detailed member management instructions.
Common Custom Role Patterns
| Role Name | Permissions | Use Case |
|---|---|---|
| Deploy Only | view:projects, manage:deployments, view:environments | CI/CD bot account |
| Project Manager | view:*, manage:projects, manage:members | Non-technical project lead |
| Security Auditor | view:*, view:audit_logs | Compliance reviewer |
| Instance Manager | manage:instances, manage:servers, view:projects | Operations team |
| Client Viewer | view:instances, view:environments | Client stakeholder |
Per-Project Access
Beyond organization-level roles, oCore supports per-project access control. This allows you to restrict which members can view or manage specific projects, even if their role grants broad permissions.
Project access is checked in addition to role permissions -- a member needs both the role permission and project access to perform an action.
Required Permissions
| Action | Permission |
|---|---|
| View roles | Any authenticated member |
| View permissions list | manage:roles |
| Create custom roles | manage:roles |
| Update custom roles | manage:roles |
| Delete custom roles | manage:roles |
| Assign roles to members | manage:members |
Troubleshooting
Member cannot perform an action despite having a role
- Check the specific permissions on the member's role -- the role may lack the required permission
- If using per-project access, verify the member has access to the specific project
- Use the permissions list endpoint to verify which permissions exist
- Check the audit log for denied access events
Cannot delete a custom role
- The role may have members assigned. Reassign them first: list members with the role and update each one
- System roles (Owner, Admin, Developer, Viewer) cannot be deleted
Permissions not taking effect
- Permissions take effect on the next API request -- no session refresh needed
- Clear browser cache if the dashboard UI appears outdated
- Verify the role was saved successfully by listing roles:
GET /api/roles
Too many custom roles
- Consolidate roles with similar permission sets
- Use the permission matrix above to identify overlap
- Document each role's purpose to avoid redundancy