Roles and permissions
Reference for built-in SBOM Observer roles and their effective permissions.
SBOM Observer uses workspace-level roles to control what each member can see and do. This page is a lookup reference for the built-in roles and their typical capabilities.
For a conceptual overview of how roles relate to authentication, see Authentication & Access Control.
Built-in roles
| Role | Scope | Typical users |
|---|---|---|
| Owner | Full control of the organization | Founders, platform leads, security owners |
| Admin | Manage projects, policies, and integrations | Security engineers, platform engineers |
| Member | Contribute SBOMs and project data | Developers, product teams, vendor contacts |
| Viewer | Read-only access to evidence and reports | Auditors, management, stakeholders |
| Billing | Billing configuration and invoices | Finance, procurement |
Each user is assigned exactly one role per organization. Permissions are evaluated based on that role after the user has authenticated.
Capabilities by role
Use this matrix when deciding which role to assign to a user.
| Capability | Owner | Admin | Member | Viewer | Billing |
|---|---|---|---|---|---|
| Invite and remove members | ✅ | ✅ | ❌ | ❌ | ❌ |
| Change member roles | ✅ | ✅ | ❌ | ❌ | ❌ |
| Suspend or reactivate accounts | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manage organization-wide policies | ✅ | ✅ | ✅ | ❌ | ❌ |
| Create and edit projects | ✅ | ✅ | ✅ | ❌ | ❌ |
| Manage SBOMs | ✅ | ✅ | ✅ | ❌ | ❌ |
| View dashboards, reports, and attestations | ✅ | ✅ | ✅ | ✅ | ✅ |
| Configure billing profiles and payment methods | ✅ | ❌ | ❌ | ❌ | ✅ |
| View invoices and billing history (card payments) | ✅ | ❌ | ❌ | ❌ | ✅ |
| Close account | ✅ | ❌ | ❌ | ❌ | ❌ |
Practical guidance
- Assign Owner sparingly. This role has irreversible powers such as closing an acocunt.
- Use Admin for people who manage policies, integrations, and day-to-day configuration but should not handle billing.
- Use Member for users who contribute SBOMs, work with violations, and collaborate on projects. Most users will fit this role.
- Use Viewer for stakeholders who only need read access to reports, dashboards, and evidence.
- Use Billing for finance or procurement users who only need access to invoices and payment details.