User roles and permissions

Opaque uses role-based access control (RBAC) to manage user access and actions on the platform. In this model:

• A role is a predefined collection of permissions that determine what actions a user can perform.
• A user can be assigned one or more roles, with each role granting specific permissions for certain tasks.

The next section provides an overview of the supported roles in Opaque and their responsibilities.

Supported user roles and permissions

Opaque supports three user roles, tailored for specific responsibilities:

• Organization admin:
  • Manages users and organization-wide settings.
  • Assigns workspace admins.
• Workspace admin:
  • Creates and manages workspaces.
  • Invites members of an Opaque organization to workspaces.
• Workspace member (user):
  • Works in assigned workspaces.
  • Runs jobs or reviews jobs submitted by others.

Default permissions

All Opaque users—including admins—share the following job-related permissions in the workspaces they’ve joined:

• Connect and remove datasets
• Create and view data policies
• Create and edit jobs
• Review jobs
• View job details
• Run and cancel jobs (own only)
• View and export job results (member of same org + same workspace only)
• View and export event logs (member of same org + same workspace only)

Additional permissions for admins

The organization and workspace admin roles include additional privileges for managing data, users, and workspaces. While a single person may hold both roles, permissions depend on the specific role assigned.

Assigning roles in Opaque

By default, all members of a group within an Opaque organization have no elevated privileges.

• Roles are assigned during onboarding or through the Admin interface in Opaque.
• Organization admins are provisioned by Opaque during initial deployment and onboarding.
• Once provisioned, they can promote any Opaque group member in their org to a workspace admin.
• For details on promoting members to workspace admins, see Managing users.