Roles & Permissions
Manage access control for your organization and zones
Keycard uses role-based access control (RBAC) to manage what users can do within your organization. Access is controlled at two levels:
- Organization roles - Control access to organization-wide settings and resources
- Zone roles - Control access to specific zones and their resources
Organization Roles
Section titled “Organization Roles”Organization roles determine what a user can do at the organization level. Every user in an organization has exactly one organization role.
| Organization Administrator | Full access to organization settings, members, and all zones |
| Organization Viewer | Read-only access to organization information; can only access zones where assigned a role |
| Organization Member | No organization-level access; can only access zones where assigned a role |
Organization Administrator
Section titled “Organization Administrator”Organization Administrators have full control over the organization:
- Manage organization settings
- Invite and remove members
- Change member roles
- Create, update, and delete zones
- Create and manage service accounts
- View audit logs
- Full access to all zones (implicitly)
Organization Viewer
Section titled “Organization Viewer”Organization Viewers have read-only access to organization-level information:
- View organization information (settings, members, service accounts)
- Can only view zones which they have been granted explicit access to
- Cannot modify any organization level entities
Organization Member
Section titled “Organization Member”Organization Members have no organization-level access:
- Cannot view organization information (settings, members, service accounts)
- Can only view zones which they have been granted explicit access to
Zone Roles
Section titled “Zone Roles”Zone roles control access to resources within a specific zone. Users can have different roles in different zones, allowing fine-grained access control.
| Zone Manager | Full access to create, read, update, and delete all entities in the zone |
| Zone Viewer | Read-only access to view all entities in the zone |
| No Access | Cannot access the zone (default for Organization Viewers and Organization Members) |
Zone Manager
Section titled “Zone Manager”Zone Managers have full control over zone resources:
- Create, update, and delete applications
- Manage application credentials and dependencies
- Create, update, and delete resources
- Configure providers
- View sessions and user activity
- Manage zone users (add and remove users, revoke grants and sessions)
Zone Viewer
Section titled “Zone Viewer”Zone Viewers have read-only access:
- View applications and their configurations
- View resources and providers
- View sessions and user activity
- Cannot create, modify, or delete any entities
Permissions Summary
Section titled “Permissions Summary”Organization-Level Entities
Section titled “Organization-Level Entities”Organization-level entities include:
- Organization settings - Name and configuration
- SSO settings - Single sign-on configuration
- Members and invitations - Console user management
- Service accounts - API credentials for automation
- Zones - Create and manage zones
- Audit logs - Activity and security events
| Organization Administrator | Full access (including audit logs) |
| Organization Viewer | View-only (excluding audit logs) |
| Organization Member | No access |
Zone-Level Entities
Section titled “Zone-Level Entities”Zone-level entities include:
- Zone settings - Configuration
- Applications - OAuth clients, credentials, and dependencies
- Resources - External APIs and services
- Providers - Credential providers for resources and applications
- Sessions and users - Authentication activity
| Zone Manager | Full access |
| Zone Viewer | View-only |
Managing Member Roles
Section titled “Managing Member Roles”Inviting Members
Section titled “Inviting Members”When inviting new members to your organization, you assign their organization role:
-
Navigate to Members
Click the organization dropdown and select Members.
-
Add Member
Click the Add member button.
-
Enter Email and Role
Enter the email address(es) and select an organization role:
- Organization Administrator - Full access to organization and all zones
- Organization Viewer - Read-only access to organization information; can only access zones where assigned a role
- Organization Member - No org access; can only access zones where assigned a role
-
Send Invitation
Click Add members. The member(s) will receive an email invitation.
Changing Organization Roles
Section titled “Changing Organization Roles”To change a member’s organization role:
- Navigate to Members in your organization settings
- Find the member in the list
- Click on their current role to open the role dropdown
- Select the new role
Assigning Zone Access
Section titled “Assigning Zone Access”To grant an Organization Member access to a zone:
-
Select Member
Navigate to Members and click on the member you want to modify.
-
View Zone Access
In the member details panel, you’ll see a list of zones with their current access level.
-
Assign Zone Role
For each zone, select the appropriate role:
- Zone Manager - Full access to the zone
- Zone Viewer - Read-only access
Best Practices
Section titled “Best Practices”Use least privilege
Assign the minimum role required for each user’s responsibilities. Start with Organization Member + specific zone access rather than Organization Administrator.
Separate environments with zones
Use different zones for production, staging, and development. Grant developers Zone Manager access to staging/dev zones but only Zone Viewer access to production.
Use service accounts for automation
For CI/CD pipelines and automated workflows, use service accounts instead of user credentials.
Regularly audit access
Review organization members and their zone access periodically. Remove access for users who no longer need it.