Draftt uses role-based access control (RBAC) to determine what each user can see and do. Roles are assigned per user and control access to inventory data, governance policies, integrations, and settings.
Built-in Roles
Draftt has three built-in roles covering the access patterns across engineering organizations.
| Role | Intended For |
|---|
| Admin | Organization administrators and platform leads. Full access to all platform capabilities including integrations, governance policies, and user management. |
| Developer | Engineering team members. Full visibility into inventory and governance data. Can create and manage policies, workflows, notification rules, and custom tags. Cannot modify platform configuration or manage users. |
| Viewer | Stakeholders, compliance reviewers, and observers. Read-only access to inventory and dashboards. No configuration capabilities. |
Permission Matrix
| Capability | Admin | Developer | Viewer |
|---|
| View inventory | ✓ | ✓ | ✓ |
| Run DrafttQL queries | ✓ | ✓ | ✓ |
| Export inventory data | ✓ | ✓ | ✓ |
| View governance policies | ✓ | ✓ | ✓ |
| Create / edit / delete policies | ✓ | ✓ | ✗ |
| Create / edit / delete workflows | ✓ | ✓ | ✗ |
| Create / edit / delete notification rules | ✓ | ✓ | ✗ |
| Create / edit / delete custom tags | ✓ | ✓ | ✗ |
| Create tickets | ✓ | ✓ | ✗ |
| Add / remove integrations | ✓ | ✗ | ✗ |
| View compliance posture | ✓ | ✓ | ✓ |
| Manage users | ✓ | ✗ | ✗ |
| Configure SSO / SCIM | ✓ | ✗ | ✗ |
| Manage API keys | ✓ | ✓ | ✓ |
Users can only generate API keys scoped to their own role. A Developer can create Developer-scoped keys but not Admin-scoped keys.
Assigning Roles
Manual Assignment
Go to Settings > User Management > Users. Find the user and select a role from the dropdown. Role changes take effect immediately. Active sessions are not interrupted but the new permissions apply on the user’s next action.
Via SCIM Group Mapping
When SCIM Provisioning is configured, roles are assigned automatically based on IdP group membership. See the SCIM documentation for group mapping configuration.
Via SSO JIT
Users provisioned via Just-in-Time SSO receive the default role configured in Account Settings > Configure SSO > JIT Configuration. This is typically Developer or Viewer. Admins can update the role after provisioning.
User Scope
A user’s Scope is derived from CMDB records and IDP catalog data, defining exactly which resources they can access. While a Role governs the actions a user can perform within Draftt, the Scope establishes the boundaries of the resources they are permitted to manage.
Next Steps
- Configure SCIM Provisioning to automate role assignment from your IdP
- Set SSO defaults for JIT-provisioned users
