Roles and Permissions

πŸ“• Tutorial - How to Manage Roles

Overview

Bytebase employs RBAC (Role-Based-Access-Control). Permissions are assigned to roles and roles are granted to the users and groups.

Workspace Roles

Built-in roles: Workspace Admin, Workspace DBA, Workspace Member.

The workspace role maps to the roles at the organization level. Every Bytebase user has Workspace Member role. Users can also be granted Workspace Admin, Workspace DBA. These 2 roles should be granted judiciously though.

Project Roles

  • Built-in roles: Project Owner, Project Developer, Project Releaser, SQL Editor User (previously called Project Querier), Project Exporter, Project Viewer.
  • Custom roles.

In addition to the inherent Workspace Member role, most users will be granted project roles. These roles allow users to perform specific database operations.

To grant users a project role for all the projects, grant that project role at the workspace level.

org-role-mapping

Above diagram describes the mapping between an engineering org and the corresponding roles in the Bytebase workspace. Note, a particular user can be assigned multiple roles as well:

  • A user can only be assigned multiple workspace roles.
  • In a particular project, a user can be assigned multiple project roles. A user can also be assigned different project roles in the different projects.

Real-world scenarios:

  • Organizations may not establish a dedicated DBA or platform engineering group. In such case, usaually the application engineering group head and the tech leads will wear those hats. Say a user named Alice can be a Workspace DBA and a Project Owner for Project Apollo at the same time.

  • An application developer could be involved in multiple projects. In such case, that engineer would also be assigned project roles in different projects respectively. Say a user named Bob can be a Workspace Member, a Project Owner for Project Apollo and a Project Developer for Project Mars at the same time.

Workspace roles

By default, the first registered user is granted the Admin role, all following registered users are granted Member role. Admin can update any user's role later.

Workspace PermissionMemberDBAAdmin
Change own name and passwordβœ”οΈβœ”οΈβœ”οΈ
Add new userβœ”οΈ
View all usersβœ”οΈβœ”οΈβœ”οΈ
Change any user's roleβœ”οΈ
De-activate/re-activate userβœ”οΈ
Change any user's name and passwordβœ”οΈ
Add environmentβœ”οΈβœ”οΈ
View all environmentsβœ”οΈβœ”οΈβœ”οΈ
Edit environmentβœ”οΈβœ”οΈ
Reorder environmentβœ”οΈβœ”οΈ
Archive environmentβœ”οΈβœ”οΈ
View all instancesβœ”οΈβœ”οΈ
Add instanceβœ”οΈβœ”οΈ
Edit instanceβœ”οΈβœ”οΈ
Archive instanceβœ”οΈβœ”οΈ
Sync instance schemaβœ”οΈβœ”οΈ
Create databaseβœ”οΈβœ”οΈ
View all databasesβœ”οΈβœ”οΈ
Create projectβœ”οΈβœ”οΈβœ”οΈ
View all projectsβœ”οΈβœ”οΈ
Create issueβœ”οΈβœ”οΈ
View all issuesβœ”οΈβœ”οΈ
Become issue assigneeβœ”οΈβœ”οΈ
Re-assign issueβœ”οΈβœ”οΈ
Add comment to all issuesβœ”οΈβœ”οΈ
Subscribe to all issuesβœ”οΈβœ”οΈ
Alter schemaβœ”οΈβœ”οΈ
Change dataβœ”οΈβœ”οΈ
Configure SQL Review Policyβœ”οΈβœ”οΈ
Manage version control system (VCS)βœ”οΈ
Manage sensitive dataβœ”οΈβœ”οΈ
Manage database access controlβœ”οΈβœ”οΈ
Manage IM integrationβœ”οΈ
Change logoβœ”οΈ

Project roles

Any user can create project. By default, the project creator is granted the Project Owner role. Workspace DBA and Workspace Admin assume the Project Owner role for all projects.

Project PermissionSQL Editor UserProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Change project roleβœ”οΈβœ”οΈβœ”οΈ
Edit projectβœ”οΈβœ”οΈβœ”οΈ
Archive projectβœ”οΈβœ”οΈβœ”οΈ
Configure UI/GitOps workflowβœ”οΈβœ”οΈβœ”οΈ

Database permissions

Bytebase does not define database specific roles. Whether a user can perform certain action to the database is based on the user's Workspace role and the role of the project owning the database.

Database PermissionSQL Editor UserProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Queryβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Exportβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Edit database labelβœ”οΈβœ”οΈβœ”οΈ
Transfer databaseβœ”οΈβœ”οΈβœ”οΈ

Sheet permissions

User can save sheets from SQL Editor. A sheet always belongs to a project. Sheet has three visibility levels:

  • Private
  • Project
  • Public

Private Sheet

PermissionCreatorSQL Editor UserProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Starβœ”οΈ
Readβœ”οΈ
Writeβœ”οΈ
Deleteβœ”οΈ

Project Sheet

PermissionCreatorSQL Editor UserProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Starβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Readβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Writeβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Deleteβœ”οΈβœ”οΈβœ”οΈβœ”οΈ

Public Sheet

PermissionCreatorSQL Editor UserProject ExporterProject DeveloperProject OwnerOthers
Starβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Readβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Writeβœ”οΈβœ”οΈ
Deleteβœ”οΈβœ”οΈ

Issue permissions

Issue PermissionAssigneeCreatorSQL Editor UserProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Create issueN/AN/Aβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Change issue statusβœ”οΈDepends*βœ”οΈβœ”οΈ
Edit name and descriptionβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Edit SQL Statementβœ”οΈ
Subscribe/Unsubscribeβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈ
Add commentβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈβœ”οΈ

* Project Owner can change issue status when the current active Environment Rollout Policy is set to Require manual rolling out.

Edit this page on GitHub