From a50ad673fb0b866aaa59f1fb72f55bb3366f56ae Mon Sep 17 00:00:00 2001 From: pi1814 Date: Tue, 10 Feb 2026 18:05:47 +0530 Subject: [PATCH 1/2] chore: add console roles and permissions --- docs/console/roles-and-permissions.mdx | 117 +++++++++++++++++++++++++ docs/guides/workspaces.mdx | 3 +- src/sidebar.ts | 1 + 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 docs/console/roles-and-permissions.mdx diff --git a/docs/console/roles-and-permissions.mdx b/docs/console/roles-and-permissions.mdx new file mode 100644 index 0000000000..37dfe4ecc3 --- /dev/null +++ b/docs/console/roles-and-permissions.mdx @@ -0,0 +1,117 @@ +--- +id: roles-and-permissions +title: Roles and permissions in the Ory Console +sidebar_label: Roles and permissions +--- + +The Ory Console uses role-based access control enforced through Ory Keto. Roles are assigned at two levels: workspace and project. + +## Workspace roles + +A workspace has two roles: Owner and Developer. + +### Owner + +The Owner role has full administrative control over the workspace. + +- View and edit workspace metadata +- Upgrade the workspace plan +- View and manage billing +- View and manage members +- Create and delete workspace API keys +- Create projects and view the projects list + +### Developer + +The Developer role provides day-to-day access without administrative capabilities. + +- View workspace metadata +- Create projects and view the projects list +- View members +- View workspace API keys + +Developers cannot: + +- Edit workspace metadata +- Manage billing +- Manage workspace members +- Create or delete workspace API keys + +### Workspace permission matrix + +| Permission | Developer | Owner | +| -------------------------------- | --------- | ----- | +| View workspace metadata | Yes | Yes | +| Edit workspace metadata | No | Yes | +| Upgrade workspace plan | No | Yes | +| View billing | No | Yes | +| Manage billing | No | Yes | +| View members | Yes | Yes | +| Manage members | No | Yes | +| View workspace API keys | Yes | Yes | +| Create/delete workspace API keys | No | Yes | +| Create projects | Yes | Yes | +| View projects list | Yes | Yes | + +## Project roles + +A project has two roles: Owner and Developer. + +### Owner + +The Owner role has full control over the project, including destructive and administrative actions. Owners inherit all Developer +permissions. + +In addition to Developer permissions, Owners can: + +- Delete the project +- Move the project between workspaces +- Upgrade the project plan +- Add and remove collaborators +- Modify project workspace settings + +### Developer + +The Developer role provides full access to project configuration and all Ory services. + +- Read and write project configuration +- View collaborators +- Manage project API keys +- Manage custom domains (CNAMEs) +- Manage event streams +- Full access to Ory Identities (read/write identities, credentials, sessions, and messages) +- Full access to Ory Permissions (read/write relationships, read permissions) +- Full access to Ory OAuth2 (read/write clients) + +Developers cannot: + +- Delete or move the project +- Add or remove collaborators +- Modify project workspace settings + +### Project permission matrix + +| Permission | Owner | Developer | +| --------------------------------- | ----- | --------- | +| Read project configuration | Yes | Yes | +| Write project configuration | Yes | Yes | +| View collaborators | Yes | Yes | +| Add/remove collaborators | Yes | No | +| Manage project API keys | Yes | Yes | +| Manage custom domains (CNAMEs) | Yes | Yes | +| Manage event streams | Yes | Yes | +| Ory Identities (full read/write) | Yes | Yes | +| Ory Permissions (full read/write) | Yes | Yes | +| Ory OAuth2 (full read/write) | Yes | Yes | +| Delete project | Yes | No | +| Move project | Yes | No | +| Upgrade project plan | Yes | No | +| Modify workspace settings | Yes | No | + +## Managing roles + +To change a member's role, a workspace Owner can go to **Console > Workspace Settings > Members**. + +![Workspace members](./_static/workspace-settings-members-page.png) + +For more information on workspaces and member management, see [Workspaces & Environments](../guides/workspaces.mdx). diff --git a/docs/guides/workspaces.mdx b/docs/guides/workspaces.mdx index 6d03470128..441b7e7140 100644 --- a/docs/guides/workspaces.mdx +++ b/docs/guides/workspaces.mdx @@ -43,7 +43,8 @@ The Workspace Members page provides a comprehensive view of your team and access :::note The screenshot shows that all members are listed as "Owners". In practice, you may have different roles such as Owner or -Developer. +Developer. For a full breakdown of what each role can do, see +[Roles and permissions in the Ory Console](../console/roles-and-permissions.mdx). ::: diff --git a/src/sidebar.ts b/src/sidebar.ts index 989fb7a239..d934da6619 100644 --- a/src/sidebar.ts +++ b/src/sidebar.ts @@ -288,6 +288,7 @@ const operations: SidebarItemsConfig = [ collapsible: false, items: [ "guides/workspaces", + "console/roles-and-permissions", "guides/custom-domains", "console/usage-billing", "guides/manage-project-via-api", From 8507d5b69cb5338a436baef8ecc705270a6a7a1c Mon Sep 17 00:00:00 2001 From: vinckr Date: Tue, 10 Feb 2026 09:49:20 -0300 Subject: [PATCH 2/2] chore: consolelink --- docs/console/roles-and-permissions.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/console/roles-and-permissions.mdx b/docs/console/roles-and-permissions.mdx index 37dfe4ecc3..65d0df6129 100644 --- a/docs/console/roles-and-permissions.mdx +++ b/docs/console/roles-and-permissions.mdx @@ -110,7 +110,7 @@ Developers cannot: ## Managing roles -To change a member's role, a workspace Owner can go to **Console > Workspace Settings > Members**. +To change a member's role, a workspace Owner can go to . ![Workspace members](./_static/workspace-settings-members-page.png)