Permissions and Roles
Owner / Admin / Editor / Viewer What the four roles do, resource level visibility, approver list.
Braidrun uses a matrix of "four roles × resource categories" to control who can do what. This page provides a complete comparison table and suggestions for role assignments in several common scenarios.
Four Roles
- Owner — The supreme authority of the team. Manage subscriptions, members, and disbandable teams. A team has only one Owner.
- Admin — Pretty much everything can be done except subscribe/transfer ownership/disband. Suitable for technical leaders/operations.
- Editor — Can create, modify, and execute workflows and schedules; can view all execution history; can use (but not manage) team credentials.
- Viewer — Read-only - see workflow, execution, and audit logs. Cannot edit, cannot execute, cannot view credential values.
Permission Matrix
| Resources/Operations | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| Team/Subscription | ||||
| Upgrade/Downgrade Package | ✓ | — | — | — |
| Manage invoices/bills | ✓ | — | — | — |
| Transfer Ownership | ✓ | — | — | — |
| Disband The Team | ✓ | — | — | — |
| Member Management | ||||
| Invite members | ✓ | ✓ | — | — |
| Remove member | ✓ | ✓ | — | — |
| Change Role | ✓ | ✓ | — | — |
| Workflow | ||||
| Create new workflow | ✓ | ✓ | ✓ | — |
| Edit/delete workflow | ✓ | ✓ | ✓ | — |
| View workflow | ✓ | ✓ | ✓ | ✓ |
| Execute workflow (manual) | ✓ | ✓ | ✓ | — |
| Clone from template | ✓ | ✓ | ✓ | — |
| Credentials | ||||
| See list of credentials | ✓ | ✓ | ✓ | — |
| New/Update/Delete Credentials | ✓ | ✓ | — | — |
| Reference credentials in workflow | ✓ | ✓ | ✓ | — |
| Scheduling/Webhooks | ||||
| Create/edit schedule | ✓ | ✓ | ✓ | — |
| Create/edit webhooks | ✓ | ✓ | ✓ | — |
| View schedule/webhook list | ✓ | ✓ | ✓ | ✓ |
| Approval | ||||
| Initiate approval | automatic | automatic | automatic | — |
| Approve requests from others | ✓ | ✓ | Press approvers | — |
| Modules | ||||
| Promote workflow as module | ✓ | ✓ | ✓ | — |
| Delete module | ✓ | ✓ | Only created by yourself | — |
| Execution History/Audit | ||||
| View execution history | ✓ | ✓ | ✓ | ✓ |
| View audit log | ✓ | ✓ | — | — |
| Export execution data | ✓ | ✓ | ✓ | — |
| Settings | ||||
| Change team settings | ✓ | ✓ | — | — |
| Change notification configuration | ✓ | ✓ | — | — |
| Change data retention policy | ✓ | — | — | — |
Special Case of Approvers List
Approvers can be explicitly specified in the manual_approval step - certain account ids or roles. At this time:
- The list is empty - all Admin and above members can approve (default)
- The list contains specific user IDs - only these people can approve (even if they are Editor)
- In the list are roles (such as "role:Admin") - all members holding this role can approve
In other words, approvers are an "overlay" mechanism: they allow non-Admin members to approve specific steps.
Role Suggestions for Typical Scenarios
Scenario 1: 3-Person Engineering Team
- Technical person in charge → Owner
- 2 engineers → Editor
- The technical leader works part-time as an approver
Scenario 2: Hybrid Team (Engineering + Operations + Compliance)
- CTO → Owner
- Engineering leader + Operation and maintenance → Admin (manage credentials and members)
- Engineer + Operation → Editor (build workflows separately, but cannot change the credentials randomly)
- Compliance/Finance → Viewer (only audit, no operation)
- Explicitly add compliance personnel to the approvers list in workflows involving customer data
Scenario 3: Development/Production Teams
- Create two independent teams in Braidrun: my-company-dev / my-company-prod
- All engineers are Editors in dev and Viewers in prod.
- Only SRE is Editor/Admin in prod
- After the workflow is verified to be stable in dev, it will be moved to prod through "Move to Team"
Permission Audit
Every time a role changes, an audit event will be recorded. You can filter event_type: member_role_changed in the "Team Audit Log" to view the history.
Next
- Teams — How to create/invite/transfer
- Manual Approval — In which scenarios does manual_approval match approvers?