Bytebase uses RBAC (Role-Based Access Control) to manage permissions. A role is a collection of permissions that can be granted to users and user groups.
Organizations can create custom roles with specific permission sets tailored to their needs. Custom roles are defined at the workspace level and can be granted at both workspace and project levels.
Roles are granted through IAM policies at two levels:
Workspace IAM Policy (Workspace > Members page)
Grant roles that apply across all projects
Manage workspace-level permissions
Project IAM Policy (Project > Members page)
Grant roles for specific project resources
Inherits roles granted at the workspace level
Inheritance: Project IAM policies automatically inherit roles granted at the workspace level. For example, if a user is granted Project Developer at the workspace level, they have that role in all projects.
Use Import from role to start with an existing role’s permissions and modify them as needed.
Example: To create a role that can approve and comment on issues but not execute them, create a Project Approver role by importing from Project Releaser and removing execution permissions.
By default, the first registered user is granted the Admin role, all following registered users are granted Member role. Admin can update any user’s role later.
Any user can create project. By default, the project creator is granted the Project Owner role. Workspace DBA and Workspace Admin assume the Project Owner role for all projects.
Bytebase does not define database specific roles. Whether a user can perform certain action to the database is based on the user’s Workspace role and the role of the project owning the database.