Skip to content

Roles and permissions

OPAQUE uses role-based access control (RBAC) to manage what users can see and do on the platform. In this model:

  • A role is a predefined collection of permissions that determine what actions a user can perform.
  • A user can be assigned one or more roles, with each role granting specific permissions for certain tasks.

The next section provides an overview of the supported roles in OPAQUE and their responsibilities.

Supported user roles and permissions

OPAQUE supports three user roles, tailored for specific responsibilities:

  • Organization admin:
    • Manages users and organization-wide settings.
    • Assigns workspace admins.
    • Oversees audit visibility across the entire organization
  • Workspace admin:
    • Creates and manages workspaces.
    • Invites members of an OPAQUE organization to workspaces.
    • Manages workflow and integration configurations within those workspaces.
  • Workspace member (default user):
    • Works in assigned workspaces.
    • Runs jobs and workflows or reviews jobs and workflows submitted by others.
    • Interacts with datasets and integrations according to their permissions.

Default permissions

All OPAQUE users—including admins and default members—share the following baseline permissions in the workspaces they’ve joined:

Note

Creator refers to the user who originally authored the workflow or integration configuration.

  • Workspace:
    • View workspace settings and connected resources
    • View event logs (same org + same workspace only)
  • Workflows
    • Create, view, and run workflows
    • Request workflow approval (if required by policy)
    • View workflow runs and results
    • Return a workflow to draft (creators only)
    • Approve or reject workflows (only if part of an approval group)
  • Integrations
    • Create and view integration configurations
    • Update or share integrations (admins and creators only)
    • Delete or revoke access to workspace (admins and creators only)
  • Jobs and data
    • Create, view, and edit jobs
    • Run and cancel jobs (own only)
    • Review jobs
    • View and export job results (same org + same workspace only)
    • Connect and remove datasets
    • Create and view data policies
    • View job details

Additional permissions for admins

The organization and workspace admin roles include additional privileges for managing data, users, and workspaces. While a single person may hold both roles, permissions depend on the specific role assigned.

Permission Organization Admin Workspace Admin
Manage users
View all org members
Create new workspaces
Archive workspaces (own only)
View and export audit/event logs ✅  (org level only) ✅  (workspace level only)

Assigning roles in OPAQUE

By default, all members of an OPAQUE organization begin without elevated privileges.

Member management starts in Okta, where your IT team adds users to your OPAQUE organization. Once a member has signed in and out of OPAQUE for the first time, they appear in the Admin member list.

From there:

  • Organization admins can promote any member of their organization to the workspace admin role.
  • Roles are managed through the Admin interface in OPAQUE.
  • For details on promoting members to workspace admins, see Managing users.