Skip to main content
Version: Community Edition (1.0)

Role Based Access Control

Manage user permissions in your server and projects with Role Based Access Control (RBAC). This page describes gives an overview of RBAC and how to assign roles to users.

Overview

Semaphore uses a RBAC model to determine what actions users can take in server and projects.

A server Admin or Owner must invite users via their GitHub or BitBucket accounts before they can access the Semaphore server or any of the projects.

Role scopes

Semaphore manages roles on two levels:

  • Server: these roles allow users to perform various server actions. Users need to be added to the server before they can access projects.
  • Project: these roles give access to a project within the server. Users need to have access to the repository connected to the project. Project roles cannot be directly assigned to users.

Permissions are additive

Permissions are additive. Users gaining permissions through multiple ways obtain the combined total of all permissions.

For example, let's say Pam has admin role in the server. This gives her unfettered access to all the projects in the server. If Kevin gives her the reader role in one project, she is still effectively admin in that project. In other words, roles never subtract permissions.

Server roles

Server roles control what actions the users may perform in Semaphore. Users need to be added to the server via their GitHub or BitBucket usernames before they can be granted a role. Only users who are part of the server can log in to Semaphore.

The only exception is when a user is added via the Okta integration.

Member

Server members can access the homepage and the projects they are assigned to. They can't modify any settings.

This is the default role assigned when a user is added to the server.

Among other actions, members can:

For the full list of member permissions, see server roles.

Admin

Admins can modify settings within the server or any of its projects. They do not have access to billing information, and they cannot change general server details, such as the server name and URL.

Only Admins and Owners can invite users to the server.

In addition to the member permissions, admins can:

  • View and manage server settings
  • Invite users to the server
  • Remove people from the server

For the full list of admin permissions, see server roles.

Owner

The owner of the server is the person that created it. A server can have multiple owners. Owners have access to all functionalities within the server and any of its projects. Only Admins and Owners can invite users to the server.

For the full list of owner permissions, see server roles.

To remove an owner, see how to remove an owner.

Project roles

Project roles control what actions the users may perform on the project. Project roles are assigned per project.

To grant a user access to a given project they need to:

  • Be a member of the Semaphore server
  • Have access to the related repository in GitHub or BitBucket
  • Be granted access to the Semaphore project

The role given when a user is added to the project depends on their repository-level role. The following table shows how repository permissions map to project roles.

GitHub repo roleBitBucket repo roleSemaphore project role
PullReadReader
PushWriteContributor
AdminAdminContributor

Reader

Readers can access the project page, and view workflows, their results, and job logs. They cannot make any modifications to the project.

Readers have:

For the full list of reader permissions, see project roles.

Contributor

Contributors can view, rerun, change workflows, and SSH into jobs. Can promote and view insights, and run schedulers.

In addition to the reader permissions, contributors can:

For the full list of contributor permissions, see project roles.

Admin

Admins have the authority to modify any setting within the projects, including the ability to add new individuals or remove them.

See also