Role

A role is a named, organization-scoped bundle of permissions. Users hold zero or more roles; their effective permission set is the deduplicated union across all assigned roles.

Every organization is seeded with a single system role, Admin. Admin is locked (it cannot be renamed, edited, or deleted) and always resolves to every permission in the catalog, including permissions added in future releases, regardless of what is stored in its permissions field.

Field Type Behavior Description
name string OUTPUT_ONLY Resource name (roles/{role_id})
display_name string   Human-readable name shown in the UI (e.g. Integrations Owner)
description string   Optional description of the role
permissions Permission[]   Permissions held by this role. Reads are implicit, so the catalog contains only :write and :run keys. Empty for the system Admin role, whose effective set is computed server-side.
system boolean OUTPUT_ONLY True on the single seeded system role (Admin). Uneditable and undeletable.
is_default boolean OUTPUT_ONLY True on exactly one role per org: the default assigned to new members. Change it with SetDefaultRole.
create_time timestamp OUTPUT_ONLY When the role was created
update_time timestamp OUTPUT_ONLY When the role was last modified
delete_time timestamp OUTPUT_ONLY When the role was soft-deleted (null if active)

Example

{
  "name": "roles/integrations-owner",
  "displayName": "Integrations Owner",
  "description": "Manages connections and integrations",
  "permissions": ["INTEGRATIONS_WRITE"],
  "system": false,
  "isDefault": false,
  "createTime": "2024-06-15T14:30:00Z",
  "updateTime": "2024-06-15T14:30:00Z"
}

Permission

The permission catalog is fixed and owned by the platform; organizations compose these values into roles but cannot invent new keys. Each value follows a resource:action shape. There are no :read keys, reads are implicit for any authenticated organization member.

A role’s stored permissions array carries the enum names below. The no- privilege-escalation rule applies on every mutation: an actor may only grant permissions that are a subset of their own effective permissions.

Value Meaning
PERMISSION_UNSPECIFIED Default zero value, never a valid grant
OBSERVABILITY_WRITE Edit the observability model (services, SLOs, signals, providers) and configure its Expert agents
OBSERVABILITY_RUN Trigger SLO evaluations and recreate observability Expert sessions
ISSUES_WRITE Manage issues, notification policies, and autofix configuration
KNOWLEDGE_WRITE Edit the knowledge base (runbooks, flows, notes, customer catalog)
INVESTIGATIONS_WRITE Edit investigation metadata and purge investigations
INVESTIGATIONS_RUN Start new investigation sessions
AGENTS_WRITE Create, edit, and delete custom workflow agents
AGENTS_RUN Start and stop custom agent runs
INTEGRATIONS_WRITE Manage connections, MCP servers, transports, ingest, and skills
CHANGE_MONITOR_WRITE Manage change-monitor configuration and its agent
MEMBERS_WRITE Assign roles to organization members
BILLING_WRITE Change plan and payment methods
ROLES_WRITE Create, edit, and delete roles and their permission grants

This site uses Just the Docs, a documentation theme for Jekyll.