Skip to main content
DocsCollaborationPermissions and Roles

Permissions and Roles

Owner / Admin / Editor / Viewer What the four roles do, resource level visibility, approver list.

Braidrun uses a matrix of "four roles × resource categories" to control who can do what. This page provides a complete comparison table and suggestions for role assignments in several common scenarios.

Four Roles

  • Owner — The supreme authority of the team. Manage subscriptions, members, and disbandable teams. A team has only one Owner.
  • Admin — Pretty much everything can be done except subscribe/transfer ownership/disband. Suitable for technical leaders/operations.
  • Editor — Can create, modify, and execute workflows and schedules; can view all execution history; can use (but not manage) team credentials.
  • Viewer — Read-only - see workflow, execution, and audit logs. Cannot edit, cannot execute, cannot view credential values.

Permission Matrix

Resources/OperationsOwnerAdminEditorViewer
Team/Subscription
Upgrade/Downgrade Package
Manage invoices/bills
Transfer Ownership
Disband The Team
Member Management
Invite members
Remove member
Change Role
Workflow
Create new workflow
Edit/delete workflow
View workflow
Execute workflow (manual)
Clone from template
Credentials
See list of credentials
New/Update/Delete Credentials
Reference credentials in workflow
Scheduling/Webhooks
Create/edit schedule
Create/edit webhooks
View schedule/webhook list
Approval
Initiate approvalautomaticautomaticautomatic
Approve requests from othersPress approvers
Modules
Promote workflow as module
Delete moduleOnly created by yourself
Execution History/Audit
View execution history
View audit log
Export execution data
Settings
Change team settings
Change notification configuration
Change data retention policy

Special Case of Approvers List

Approvers can be explicitly specified in the manual_approval step - certain account ids or roles. At this time:

  • The list is empty - all Admin and above members can approve (default)
  • The list contains specific user IDs - only these people can approve (even if they are Editor)
  • In the list are roles (such as "role:Admin") - all members holding this role can approve

In other words, approvers are an "overlay" mechanism: they allow non-Admin members to approve specific steps.

Role Suggestions for Typical Scenarios

Scenario 1: 3-Person Engineering Team

  • Technical person in charge → Owner
  • 2 engineers → Editor
  • The technical leader works part-time as an approver

Scenario 2: Hybrid Team (Engineering + Operations + Compliance)

  • CTO → Owner
  • Engineering leader + Operation and maintenance → Admin (manage credentials and members)
  • Engineer + Operation → Editor (build workflows separately, but cannot change the credentials randomly)
  • Compliance/Finance → Viewer (only audit, no operation)
  • Explicitly add compliance personnel to the approvers list in workflows involving customer data

Scenario 3: Development/Production Teams

  • Create two independent teams in Braidrun: my-company-dev / my-company-prod
  • All engineers are Editors in dev and Viewers in prod.
  • Only SRE is Editor/Admin in prod
  • After the workflow is verified to be stable in dev, it will be moved to prod through "Move to Team"

Permission Audit

Every time a role changes, an audit event will be recorded. You can filter event_type: member_role_changed in the "Team Audit Log" to view the history.

Next

  • Teams — How to create/invite/transfer
  • Manual Approval — In which scenarios does manual_approval match approvers?