> ## Documentation Index
> Fetch the complete documentation index at: https://docs.draftt.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles & Permissions

Draftt uses role-based access control (RBAC) to determine what each user can see and do. Roles are assigned per user and control access to inventory data, governance policies, integrations, and settings.

## Built-in Roles

Draftt has three built-in roles covering the access patterns across engineering organizations.

| Role          | Intended For                                                                                                                                                                                                           |
| ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Admin**     | Organization administrators and platform leads. Full access to all platform capabilities including governance policies, and user management.                                                                           |
| **Developer** | Engineering team members. Full visibility into inventory and governance data. Can create and manage integrations, policies, notification rules, and custom tags. Cannot modify platform configuration or manage users. |
| **Viewer**    | Stakeholders, compliance reviewers, and observers. Read-only access to inventory and dashboards. No configuration capabilities.                                                                                        |

## Permission Matrix

| Category          | Capability            | Viewer | Developer | Admin |
| :---------------- | :-------------------- | :----: | :-------: | :---: |
| **Users**         | View                  |    X   |     V     |   V   |
| **Users**         | Invite                |    X   |     X     |   V   |
| **Users**         | Remove                |    X   |     X     |   V   |
| **Users**         | Assign Roles          |    X   |     X     |   V   |
| **Settings**      | View                  |    V   |     V     |   V   |
| **Settings**      | Manage                |    X   |     X     |   V   |
| **Assets**        | View                  |    V   |     V     |   V   |
| **Assets**        | Edit Metadata         |    X   |     V     |   V   |
| **Upgrade Plans** | View                  |    V   |     V     |   V   |
| **Upgrade Plans** | Create                |    X   |     V     |   V   |
| **Upgrade Plans** | Acknowledge / Resolve |    X   |     V     |   V   |
| **Policy**        | View                  |    V   |     V     |   V   |
| **Policy**        | Create                |    X   |     V     |   V   |
| **Policy**        | Edit                  |    X   |     V     |   V   |
| **Policy**        | Delete                |    X   |     V     |   V   |
| **Notifications** | View                  |    V   |     V     |   V   |
| **Notifications** | Create                |    X   |     V     |   V   |
| **Notifications** | Edit                  |    X   |     V     |   V   |
| **Notifications** | Delete                |    X   |     V     |   V   |
| **Integrations**  | Add                   |    X   |     V     |   V   |
| **Integrations**  | Configure             |    X   |     V     |   V   |
| **Integrations**  | Remove                |    X   |     V     |   V   |
| **Analytics**     | View                  |    V   |     V     |   V   |
| **Analytics**     | Export                |    V   |     V     |   V   |
| **Ticketing**     | Create                |    V   |     V     |   V   |
| **API Keys\***    | View                  |    X   |     V     |   V   |
| **API Keys\***    | Create                |    X   |     V     |   V   |
| **API Keys\***    | Revoke                |    X   |     X     |   V   |
| **API Keys\***    | Delete                |    X   |     X     |   V   |

***

> **Note:** API key creation is restricted to the user's current role or below. For instance, a Developer can generate Developer-level keys but lacks the authorization to create Admin-level keys.

## Assigning Roles

### Manual Assignment

Go to **Settings > User Management > Users**. Find the user and select a role from the dropdown. Role changes take effect immediately. Active sessions are not interrupted but the new permissions apply on the user's next action.

### Via SCIM Group Mapping

When [SCIM Provisioning](/scim) is configured, roles are assigned automatically based on IdP group membership. See the [SCIM documentation](/scim) for group mapping configuration.

### Via SSO JIT

Users provisioned via Just-in-Time SSO receive the default role configured in **Account Settings > Configure SSO > JIT Configuration**. This is typically `Developer` or `Viewer`. Admins can update the role after provisioning.

## User Scope

A user's Scope is derived from CMDB records and IDP catalog data, defining exactly which resources they can access. While a Role governs the actions a user can perform within Draftt, the Scope establishes the boundaries of the resources they are permitted to manage.

## Next Steps

* Configure [SCIM Provisioning](/scim) to automate role assignment from your IdP
* Set [SSO](/sso) defaults for JIT-provisioned users
