Skip to content
API Reference
Admin
Roles & Permissions
Admin

Roles & Permissions

Manage who can administer your Keycard organization and zones

Keycard uses role-based access control (RBAC) to manage who can administer Keycard. Roles apply at two levels:

  1. Organization roles control who can manage your organization.
  2. Custom zone roles control who can manage a specific custom zone.

Only members of your organization hold these roles. People who sign in to a custom zone to use its applications are not organization members and have no management access.

Organization Roles

Section titled “Organization Roles”

Every member of your organization has one organization role.

AdminFull access to the organization and everything in it
ViewerRead-only access to the organization

Admin

Section titled “Admin”

Admins have full control of the organization:

  • Manage organization settings
  • Configure SSO
  • Invite and remove members
  • Change member roles
  • Create, update, and delete zones
  • Create and manage service accounts
  • Configure applications, resources, and providers
  • View audit logs

Viewer

Section titled “Viewer”

Viewers have read-only access to the organization:

  • View settings, members, and service accounts
  • View applications, resources, and providers
  • View sessions, users, and audit logs
  • Cannot create, modify, or delete anything

Custom Zone Roles

Section titled “Custom Zone Roles”

Custom zones have their own users and identity provider. To let an organization member manage a custom zone, an Admin assigns them a zone role.

ManagerFull access to the custom zone and everything in it
ViewerRead-only access to the custom zone

Managing Members

Section titled “Managing Members”

Inviting Members

Section titled “Inviting Members”

  1. Open the People page

    Click People in the sidebar.

  2. Create an invitation

    Click Invite.

  3. Enter email and role

    Enter the email address(es) and choose a role (Viewer by default).

  4. Send the invitation

    Click Add people. They receive an email invitation.

Add people dialog with email field and role selector Add people dialog with email field and role selector

Changing a Member’s Role

Section titled “Changing a Member’s Role”

Open a member’s Manage access drawer to change their organization role or their access to a specific zone.

  1. Open the People page.
  2. Find the member and click Manage access to open their drawer.
  3. Under Organization role, choose Admin or Viewer.
  4. Under Zone access, choose No access, Manager, or Viewer for each zone.
Manage access drawer showing organization role and per-zone access Manage access drawer showing organization role and per-zone access

Best Practices

Section titled “Best Practices”
Use least privilege

Give people the Viewer role unless they need to manage Keycard. Reserve Admin for the people who configure SSO, members, and policy.

Use service accounts for automation

For CI/CD pipelines and automated workflows, use service accounts instead of personal credentials.

Regularly audit access

Review your members and their roles periodically. Remove people who no longer need access.