Role-Based Access Control

Role-Based Access Control (RBAC) is a way to enforce security in the Viam app by assigning organization members roles that confer permissions. Users can have access to different fleet management capabilities depending on whether they are an owner or an operator of a given organization, location, or machine.

For more detailed information on the permissions each role confers for different resources, see Permissions.

Change a user’s access

If you have the Owner role, you can invite new users and change the roles assigned to an organization member on a per machine, location, or organization level.

To view the roles each organization member has, click on the organization dropdown in the top navigation bar and click on Settings.

Organization page

Limit access

To limit the access of a user, first open the access settings for the user by clicking on the user. Then either change the role of the user from owner to operator with the dropdown or click on Limit access and change the resource the user has access.

You can also remove the user by clicking on Remove user.

The user invitation menu on the Organization settings page.

For more information on the permissions the roles assign for each resource, see Permissions.

Grant additional access

To grant additional access to a user, first open the access settings for the user by clicking on the user. Then either change the role of the user from operator to owner with the dropdown or click on Grant additional access and change the resource the user has access.

The user invitation menu on the Organization settings page.

For more information on the permissions the roles assign for each resource, see Permissions.

Use the mobile app

You can also use the Viam mobile app to grant or revoke organization owner or operator access to users on the go. Navigate to your organizations on the mobile app by swiping left to right or clicking on the menu in the top left corner. Click the gear icon associated with the organization where you want to manage access or invite new people.

API keys

API keys grant access to organizations, locations, and machines. If at the organization level, they grant access to all locations and machines contained within that organization. If at the location level, they grant access to all of the machines contained within that location.

To view all API keys in use for your organization and the locations and machines inside it, click on the organization dropdown in the top navigation bar and click on Settings.

View a table with each key, ID, name (if assigned), time created, and entities it provides access to:

API Keys table

In each row, click the copy icon to copy the API key and key ID. Click the duplicate icon to duplicate the API key. Click the trash can icon to delete the API key.

Add an API key

Click Generate key to generate a new key. Optionally, give the key a name of your choice. Click on the Resource menu and choose what organization, location, or machine you want the key to grant access to. For Role, assign either an Owner or Operator role. See Permissions for information about the privilege each role entails at each resource level.

View an API key’s details

To view the role of an API key and what it grants access to, click on Show details in the key’s row of the key table’s Resources column:

Additional details for a key

Change an API key’s access

To edit an API key, click on Show details in the key’s row of the key table’s Resources column.

To edit the role, click on the dropdown menu next to the role and select Owner or Operator. See Permissions for information about the privilege each role entails at each resource level.

To change the entities it is able to access, click + Grant additional access. Select which organization, location, or machine you want the key to grant access to. Click Choose to confirm your selection.

Permissions

The following sections describe the permissions for each user role when it comes to managing machines, locations, organizations, fragments, and data.

Machines

Permissions for managing machines are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
Control the machine from the CONTROL tabYesYesYesYesYesYes
See all tabs (such as CONFIGURE and LOGS)YesNoYesNoYesNo
Edit machine nameYesNoYesNoYesNo
Delete the machineYesNoYesNoYesNo
Add a new partYesNoYesNoYesNo
Edit part nameYesNoYesNoYesNo
Restart the machineYesNoYesNoYesNo
Edit a machine config (including data capture and sync)YesNoYesNoYesNo

Locations

Permissions for managing locations are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
Edit location info (rename, delete location)YesNoYes for this and any child locationsNoNoNo
Create a new machineYesNoYes in this and any child locationsNoNoNo
Move the location (to new parent location)YesNoYes, to other locations they have access toNoNoNo
Create a new location in the organizationYesNoNoNoNoNo
Delete locationYesNoYesNoNoNo
Add/remove Viam support team permissionsYesNoYesNoNoNo
Add a shared locationYesNoYesNoNoNo
Remove a shared locationYesNoYesNoNoNo
Use Try Viam from within the org*YesNoNoNoNoNo

If a user has access to a child location but not its parent location, the user cannot see machines in the parent location.

If a user is an owner of an organization with which a location was shared (that is, a secondary organization owner), that user can share the location with other organizations.

*Users can only use Try Viam from within an organization they own because doing so creates a new location in the org.

Organization settings and roles

Only organization owners can edit or delete an organization, or see and edit the organization billing page.

Permissions for managing org settings and user roles are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
See billing pageYesNoNoNoNoNo
Get billing-related emailsYesNoNoNoNoNo
Edit org nameYesNoNoNoNoNo
Delete the orgYesNoNoNoNoNo
Leave the orgYesYesYesYesYesYes
See their own roleYesYesYesYesYesYes
See other peoples’ rolesYesYesYes*Yes*Yes*Yes*
See all org members (including email and date joined)YesYesNoNoNoNo
Invite, resend invite, and revoke inviteYesNoYes*NoYes*No
Change someone else’s roleYesNoYes*NoYes*No
Create a new organizationYesYesYesYesYesYes
Delete modulesYesNoNoNoNoNo
Make public modules privateYesNoNoNoNoNo

*For locations/machines they have access to

Fragments

Permissions for managing fragments are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
Create a new fragment in the orgYesNoNoNoNoNo
See and use fragments in the orgYesNoYesNoYesNo
Edit and delete fragmentsYesNoNoNoNoNo

Data and machine learning

Permissions for data management and machine learning are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
View dataYesYesYes*Yes*Yes**Yes**
See data tagsYesNoOnly tags applied to data they have access toNoOnly tags applied to data they have access toNo
Edit data (add tags, delete info)YesNoYes*NoYes**No
Train modelsYesNoYes on data they have access toNoYes on data they have access toNo
Upload organization models/packagesYesNoYesNoYesNo
View organization models/packagesYesNoYesNoYesNo
Use organization models/packagesYesNoYesNoYesNo
Delete organization models/packagesYesNoNoNoNoNo
Export data with the CLI or the appYesYesYes*Yes*Yes**Yes**
See dataset namesCan see all names in current orgNoCan see all names in current orgNoCan see all names in current orgNo
Click into datasets / load themCan click into dataset and see all data in itNoCan see the data in the dataset that they have permission to accessNoCan see the data in the dataset that they have permission to accessNo
Create new datasetYesNoYesNoYesNo
Rename datasetYesNoNoNoNoNo
Delete datasetYesNoNoNoNoNo
Add images to datasetYesNoCan add images they have permissions onNoCan add images they have permissions onNo
Remove image from datasetYesNoCan remove images in the dataset that they can seeNoCan remove images in the dataset that they can seeNo
Train on datasetYesNoTrains on the portion of the dataset that they have access toNoTrains on the portion of the dataset that they have access toNo

*For data from the location

**For data from the machine

Have questions, or want to meet other people working on robots? Join our Community Discord.

If you notice any issues with the documentation, feel free to file an issue or edit this file.