Discover how dbnl manages user permissions through a layered system of organization and namespace roles—like org admin, org reader, namespace admin, writer, and reader.
A user is an individual who can log into a dbnl organization.
Permissions are settings that control access to operations on resources within a dbnl organization. Permissions are made up of two components.
Resource: Defines which resource is being controlled by this permission (e.g. projects, users).
Verb: Defines which operations are being controlled by this permission (e.g. read, write).
For example, the projects.read permission controls access to the read operations on the projects resource. It is required to be able to list and view projects.
A role consists in a set of permissions. Assigning a role to a user gives the user all the permissions associated with the role.
Roles can be assigned at the organization or namespace level. Assigning roles at the namespace level allows for giving users granular access to projects and their related data.
An org role is a role that can be assigned to a user within an organization. Org role permissions apply to resources across all namespaces.
There are two default org roles defined in every organization.
The org admin role has read and write permissions for all org level resources making it possible to perform organization management operations such as creating namespaces and assigning users roles.
By default, the first user in an org is assigned the org admin role.
The org reader role has read-only permissions to org level resources making it possible to navigate the organization by listing users and namespaces.
By default, all users are assigned the org reader role.
To assign a user an org role, go to ☰ > Settings > Admin > Users, scroll to the relevant user and select the an org role from the dropdown in the Org Role column.
Assigning a user an org role requires having the org admin role.
A namespace role is a role that can be assigned to a user within a namespace. Namespace role permissions only apply to resources defined within the namespace in which the role is assigned.
There are three default namespace roles defined in every organization.
The namespace admin role has read and write permissions for all namespace level resources within a namespace making it possible to perform namespace management operations such as assigning users roles within a namespace.
By default, the creator of a namespace is assigned the namespace admin role in that namespace.
The namespace admin role has read and write permissions for all namespace level resources within a namespace except for those resources and operations related to namespace management such as namespace role assignments.
By default, all users are assigned the namespace writer role in the default namespace.
The namespace reader role has read-only permissions for all namespace level resources within a namespace.
This is an experimental role that is available through the API, but is not currently fully supported in the UI.
To assign a user a namespace role within a namespace, go to ☰ > Settings > Admin > Namespaces, scroll and click on the relevant namespace and then click + Add User.
Assigning a user a namespace role requires having the org admin role or the namespace admin role in that namespace.