Skip to content

Roles and permissions

OPAQUE uses role-based access control (RBAC) to manage what users can see and do on the platform. In this model:

  • A role is a predefined collection of permissions that determine what actions a user can perform.
  • A user can be assigned one or more roles, with each role granting specific permissions for certain tasks.

The next section provides an overview of the supported roles in OPAQUE and their responsibilities.

Supported user roles and permissions

Opaque supports three user roles, tailored for specific responsibilities:

  • Organization admin:
    • Manages users and organization-wide settings.
    • Assigns workspace admins.
    • Oversees audit visibility across the organization.
    • Can manage any workspace in the organization, including members and policies.
  • Workspace admin:
    • Creates and manages workspaces they belong to.
    • Can manage integrations created by any member of the organization within those workspaces.
  • Workspace member (default user):
    • Works in assigned workspaces.
    • Runs or reviews workflows and jobs.
    • Interacts with datasets and integrations according to their permissions.

Default permissions

All OPAQUE users—including admins and default members—share the following baseline permissions in the workspaces they’ve joined:

Note

Creator refers to the user who originally authored the workflow or integration configuration.

  • Workspace:
    • View workspace settings and connected resources
    • View event logs (same org + same workspace only)
  • Workflows
    • Create, view, and run workflows
    • Request workflow approval (if required by policy)
    • View workflow runs and results
    • Return a workflow to draft
    • Approve or reject workflows (only if part of an approval group)
  • Integrations
    • Create and view integration configurations
    • Update or share integrations (admins and creators only)
    • Delete or revoke access to workspace (admins and creators only)
  • Jobs and data
    • Create, view, and edit jobs
    • Run and cancel jobs
    • Review jobs
    • View and export job results (same org + same workspace only)
    • Connect and remove datasets
    • Create and view data policies
    • View job details

Additional permissions for admins

The organization and workspace admin roles include additional privileges for managing data, users, and workspaces. While a single person may hold both roles, permissions depend on the specific role assigned.

Permission Organization Admin Workspace Admin
Manage users
View all org members ✅ (when adding members)
Create new workspaces
Manage workspace members ✅ (if a member)
Modify workspace policies ✅ (if a member)
Archive workspaces
View and export audit logs ✅ (organization-wide) ✅ (workspace-only)

Assigning roles in Opaque

By default, all users in an Opaque organization start as workspace members without elevated privileges.

User access is managed through your organization’s identity provider, where users are provisioned and granted access to Opaque. After signing in, users appear in the Admin member list.

From there, organization admins can:

  • Promote users to the workspace admin role.
  • Manage roles and workspace membership through the Admin interface.

For step-by-step instructions, see Managing users.