Role-Based Access Control

Role-Based Access Control (RBAC) is a way to enforce security in the Viam app by assigning organization members or API keys roles that confer permissions. You can assign an owner or an operator role for an organization, location, or machine.

  • Owner: Can see and edit every tab on the machine page and perform equivalent operations from the APIs.
  • Operator: Can see and use only the CONTROL tab and perform equivalent operations from the APIs. Cannot see or edit the CONFIGURE, LOGS, or CONNECT tabs.

The following sections describe the permissions for each user role when it comes to managing machines, locations, organizations, fragments, and data.

Machines

Permissions for managing machines are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
Control the machine from the CONTROL tabYesYesYesYesYesYes
See all tabs (such as CONFIGURE and LOGS)YesNoYesNoYesNo
Edit machine nameYesNoYesNoYesNo
Delete the machineYesNoYesNoYesNo
Add a new partYesNoYesNoYesNo
Edit part nameYesNoYesNoYesNo
Restart the machineYesNoYesNoYesNo
Edit a machine config (including data capture and sync)YesNoYesNoYesNo

Locations

Permissions for managing locations are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
Edit location info (rename, delete location)YesNoYes for this and any child locationsNoNoNo
Create a new machineYesNoYes in this and any child locationsNoNoNo
Move the location (to new parent location)YesNoYes, to other locations they have access toNoNoNo
Create a new location in the organizationYesNoNoNoNoNo
Delete locationYesNoYesNoNoNo
Add/remove Viam support team permissionsYesNoYesNoNoNo
Add a shared locationYesNoYesNoNoNo
Remove a shared locationYesNoYesNoNoNo
Use Try Viam from within the org*YesNoNoNoNoNo

If a user has access to a child location but not its parent location, the user cannot see machines in the parent location.

If a user is an owner of an organization with which a location was shared (that is, a secondary organization owner), that user can share the location with other organizations.

*Users can only use Try Viam from within an organization they own because doing so creates a new location in the org.

Organization settings and roles

Only organization owners can edit or delete an organization, or see and edit the organization billing page.

Permissions for managing org settings and user roles are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
See billing pageYesNoNoNoNoNo
Get billing-related emailsYesNoNoNoNoNo
Edit org nameYesNoNoNoNoNo
Delete the orgYesNoNoNoNoNo
Leave the orgYesYesYesYesYesYes
See their own roleYesYesYesYesYesYes
See other peoples’ rolesYesYesYes*Yes*Yes*Yes*
See all org members (including email and date joined)YesYesNoNoNoNo
Invite, resend invite, and revoke inviteYesNoYes*NoYes*No
Change someone else’s roleYesNoYes*NoYes*No
Create a new organizationYesYesYesYesYesYes
Delete modulesYesNoNoNoNoNo
Make public modules privateYesNoNoNoNoNo

*For locations/machines they have access to

Fragments

Permissions for managing fragments are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
Create a new fragment in the orgYesNoNoNoNoNo
See and use fragments in the orgYesNoYesNoYesNo
Edit and delete fragmentsYesNoNoNoNoNo

Data and machine learning

Permissions for data management and machine learning are as follows:

PermissionsOrg ownerOrg operatorLocation ownerLocation operatorMachine ownerMachine operator
View dataYesYesYes*Yes*Yes**Yes**
See data tagsYesNoOnly tags applied to data they have access toNoOnly tags applied to data they have access toNo
Edit data (add tags, delete info)YesNoYes*NoYes**No
Train modelsYesNoYes on data they have access toNoYes on data they have access toNo
Upload organization models/packagesYesNoYesNoYesNo
View organization models/packagesYesNoYesNoYesNo
Use organization models/packagesYesNoYesNoYesNo
Delete organization models/packagesYesNoNoNoNoNo
Export data with the CLI or the appYesYesYes*Yes*Yes**Yes**
See dataset namesCan see all names in current orgNoCan see all names in current orgNoCan see all names in current orgNo
Click into datasets / load themCan click into dataset and see all data in itNoCan see the data in the dataset that they have permission to accessNoCan see the data in the dataset that they have permission to accessNo
Create new datasetYesNoYesNoYesNo
Rename datasetYesNoNoNoNoNo
Delete datasetYesNoNoNoNoNo
Add images to datasetYesNoCan add images they have permissions onNoCan add images they have permissions onNo
Remove image from datasetYesNoCan remove images in the dataset that they can seeNoCan remove images in the dataset that they can seeNo
Train on datasetYesNoTrains on the portion of the dataset that they have access toNoTrains on the portion of the dataset that they have access toNo

*For data from the location

**For data from the machine