Draftt uses role-based access control (RBAC) to determine what each user can see and do. Roles are assigned per user and control access to inventory data, governance policies, integrations, and settings.Documentation Index
Fetch the complete documentation index at: https://docs.draftt.io/llms.txt
Use this file to discover all available pages before exploring further.
Built-in Roles
Draftt has three built-in roles covering the access patterns across engineering organizations.| Role | Intended For |
|---|---|
| Admin | Organization administrators and platform leads. Full access to all platform capabilities including governance policies, and user management. |
| Developer | Engineering team members. Full visibility into inventory and governance data. Can create and manage integrations, policies, workflows, notification rules, and custom tags. Cannot modify platform configuration or manage users. |
| Viewer | Stakeholders, compliance reviewers, and observers. Read-only access to inventory and dashboards. No configuration capabilities. |
Permission Matrix
| Category | Capability | Viewer | Developer | Admin |
|---|---|---|---|---|
| Users | View | X | V | V |
| Users | Invite | X | V | V |
| Users | Remove | X | X | V |
| Users | Assign Roles | X | X | V |
| Settings | View | V | V | V |
| Settings | Manage | X | X | V |
| Assets | View | V | V | V |
| Assets | Edit Metadata | X | V | V |
| Upgrade Plans | View | V | V | V |
| Upgrade Plans | Create | X | V | V |
| Upgrade Plans | Acknowledge / Resolve | X | V | V |
| Policy | View | V | V | V |
| Policy | Create | X | V | V |
| Policy | Edit | X | V | V |
| Policy | Delete | X | V | V |
| Automation | View | V | V | V |
| Automation | Create | X | V | V |
| Automation | Edit | X | V | V |
| Automation | Delete | X | V | V |
| Notifications | View | V | V | V |
| Notifications | Create | X | V | V |
| Notifications | Edit | X | V | V |
| Notifications | Delete | X | V | V |
| Integrations | Add | X | V | V |
| Integrations | Configure | X | V | V |
| Integrations | Remove | X | V | V |
| Analytics | View | V | V | V |
| Analytics | Export | V | V | V |
| Ticketing | Create | V | V | V |
| API Keys* | View | X | V | V |
| API Keys* | Create | X | V | V |
| API Keys* | Revoke | X | X | V |
| API Keys* | Delete | X | X | V |
Note: API key creation is restricted to the user’s current role or below. For instance, a Developer can generate Developer-level keys but lacks the authorization to create Admin-level keys.
Assigning Roles
Manual Assignment
Go to Settings > User Management > Users. Find the user and select a role from the dropdown. Role changes take effect immediately. Active sessions are not interrupted but the new permissions apply on the user’s next action.Via SCIM Group Mapping
When SCIM Provisioning is configured, roles are assigned automatically based on IdP group membership. See the SCIM documentation for group mapping configuration.Via SSO JIT
Users provisioned via Just-in-Time SSO receive the default role configured in Account Settings > Configure SSO > JIT Configuration. This is typicallyDeveloper or Viewer. Admins can update the role after provisioning.
User Scope
A user’s Scope is derived from CMDB records and IDP catalog data, defining exactly which resources they can access. While a Role governs the actions a user can perform within Draftt, the Scope establishes the boundaries of the resources they are permitted to manage.Next Steps
- Configure SCIM Provisioning to automate role assignment from your IdP
- Set SSO defaults for JIT-provisioned users