Roles and Permissions
Overview
Bytebase employs RBAC (Role-Based-Access-Control). Permissions are assigned to roles and roles are granted to the users and groups.
Workspace Roles
Built-in roles: Workspace Admin
, Workspace DBA
, Workspace Member
.
The workspace role maps to the roles at the organization level. Every Bytebase user has Workspace Member
role.
Users can also be granted Workspace Admin
, Workspace DBA
. These 2 roles should be granted judiciously though.
Project Roles
- Built-in roles:
Project Owner
,Project Developer
,Project Releaser
,SQL Editor User
(previously calledProject Querier
),Project Exporter
,Project Viewer
. - Custom roles.
In addition to the inherent Workspace Member
role, most users will be granted project roles. These roles
allow users to perform specific database operations.
To grant users a project role for all the projects, grant that project role at the workspace level.
Above diagram describes the mapping between an engineering org and the corresponding roles in the Bytebase workspace. Note, a particular user can be assigned multiple roles as well:
- A user can only be assigned multiple workspace roles.
- In a particular project, a user can be assigned multiple project roles. A user can also be assigned different project roles in the different projects.
Real-world scenarios:
-
Organizations may not establish a dedicated DBA or platform engineering group. In such case, usaually the application engineering group head and the tech leads will wear those hats. Say a user named Alice can be a
Workspace DBA
and aProject Owner
for Project Apollo at the same time. -
An application developer could be involved in multiple projects. In such case, that engineer would also be assigned project roles in different projects respectively. Say a user named Bob can be a
Workspace Member
, aProject Owner
for Project Apollo and aProject Developer
for Project Mars at the same time.
Workspace roles
By default, the first registered user is granted the Admin
role, all following registered users are granted Member
role. Admin
can update any user's role later.
Workspace Permission | Member | DBA | Admin |
---|---|---|---|
Change own name and password | βοΈ | βοΈ | βοΈ |
Add new user | βοΈ | ||
View all users | βοΈ | βοΈ | βοΈ |
Change any user's role | βοΈ | ||
De-activate/re-activate user | βοΈ | ||
Change any user's name and password | βοΈ | ||
Add environment | βοΈ | βοΈ | |
View all environments | βοΈ | βοΈ | βοΈ |
Edit environment | βοΈ | βοΈ | |
Reorder environment | βοΈ | βοΈ | |
Archive environment | βοΈ | βοΈ | |
View all instances | βοΈ | βοΈ | |
Add instance | βοΈ | βοΈ | |
Edit instance | βοΈ | βοΈ | |
Archive instance | βοΈ | βοΈ | |
Sync instance schema | βοΈ | βοΈ | |
Create database | βοΈ | βοΈ | |
View all databases | βοΈ | βοΈ | |
Create project | βοΈ | βοΈ | βοΈ |
View all projects | βοΈ | βοΈ | |
Create issue | βοΈ | βοΈ | |
View all issues | βοΈ | βοΈ | |
Become issue assignee | βοΈ | βοΈ | |
Re-assign issue | βοΈ | βοΈ | |
Add comment to all issues | βοΈ | βοΈ | |
Subscribe to all issues | βοΈ | βοΈ | |
Alter schema | βοΈ | βοΈ | |
Change data | βοΈ | βοΈ | |
Configure SQL Review Policy | βοΈ | βοΈ | |
Manage version control system (VCS) | βοΈ | ||
Manage sensitive data | βοΈ | βοΈ | |
Manage database access control | βοΈ | βοΈ | |
Manage IM integration | βοΈ | ||
Change logo | βοΈ |
Project roles
Any user can create project. By default, the project creator is granted the Project Owner
role.
Workspace DBA
and Workspace Admin
assume the Project Owner
role for all projects.
Project Permission | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
---|---|---|---|---|---|---|
Change project role | βοΈ | βοΈ | βοΈ | |||
Edit project | βοΈ | βοΈ | βοΈ | |||
Archive project | βοΈ | βοΈ | βοΈ | |||
Configure UI/GitOps workflow | βοΈ | βοΈ | βοΈ |
Database permissions
Bytebase does not define database specific roles. Whether a user can perform certain action to the database is based on the user's Workspace role and the role of the project owning the database.
Database Permission | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
---|---|---|---|---|---|---|
Query | βοΈ | βοΈ | βοΈ | βοΈ | ||
Export | βοΈ | βοΈ | βοΈ | βοΈ | ||
Edit database label | βοΈ | βοΈ | βοΈ | |||
Transfer database | βοΈ | βοΈ | βοΈ |
Sheet permissions
User can save sheets from SQL Editor. A sheet always belongs to a project. Sheet has three visibility levels:
- Private
- Project
- Public
Private Sheet
Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
---|---|---|---|---|---|---|---|
Star | βοΈ | ||||||
Read | βοΈ | ||||||
Write | βοΈ | ||||||
Delete | βοΈ |
Project Sheet
Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
---|---|---|---|---|---|---|---|
Star | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ |
Read | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ |
Write | βοΈ | βοΈ | βοΈ | βοΈ | |||
Delete | βοΈ | βοΈ | βοΈ | βοΈ |
Public Sheet
Permission | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Others |
---|---|---|---|---|---|---|
Star | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ |
Read | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ |
Write | βοΈ | βοΈ | ||||
Delete | βοΈ | βοΈ |
Issue permissions
Issue Permission | Assignee | Creator | SQL Editor User | Project Exporter | Project Developer | Project Owner | Workspace DBA | Workspace Admin |
---|---|---|---|---|---|---|---|---|
Create issue | N/A | N/A | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | |
Change issue status | βοΈ | Depends* | βοΈ | βοΈ | ||||
Edit name and description | βοΈ | βοΈ | βοΈ | βοΈ | ||||
Edit SQL Statement | βοΈ | |||||||
Subscribe/Unsubscribe | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ |
Add comment | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ | βοΈ |
* Project Owner
can change issue status when the current active Environment Rollout Policy is set to Require manual rolling out.