This feature is only available on Chainloop’s platform paid plans.

Chainloop Role Base Access Control (RBAC) allows scoping down users by resources (i.e. projects). For example, RBAC can be used to ensure that employees can only see and access the projects they are assigned to. Or to limit the actions that a particular user or group of users can perform on a Workflow (like sending an attestation).

RBAC is implemented through Roles. Users can have assigned roles on organizations and projects for access control.

Roles

Organization roles

There are 5 organization level roles:

  • Organization Owner: It’s the highest privilege role, providing full access to all resources and features. It’s the role acquired by the creator of the organization.
  • Organization Admin: It’s a management role in the organization, they have full access to the organization, its members and projects.
  • Organization Viewer: It’s a read-only role that provides full visibility on the organization resources.
  • Member: Members only have permissions in projects they create, or they have been added to with a Project Role. Members cannot manage or see organization resources.
  • Contributor: Contributors can only contribute to projects they have been added to with a Project Role.

Org Owner, Admin and Viewer roles can operate on all projects in the organization. While Members and Contributors can only operate on projects they have been added to with a Project Role.

Project roles

Project roles are needed when the user has the Organization “Member” or “Contributor” role to provide them access to specific projects. There are two different project roles:

  • Project Admin: Provides full access to the project resources. For example, they can manage workflows, configure compliance frameworks, and user or group membership. They can also create project API tokens and perform attestations.
  • Project Viewer: Provides read-only access to the project, workflows, and attestations.

Assigning project roles

You can list and manage members through project settings: info

Then you can use the membership form to add members and assign them project roles: info

Groups

Groups can help in organizing users by Business Unit, Teams, Department, or any other criteria. They can be attached to projects with a given role. Users of the group would acquire that role when accessing the project.

Creating groups

Only Organization Admins can create groups through the “Groups” section in Organization settings: groups

Adding users to a group

In Group Details view, Admins can add new members to an existing group by clicking the “Add Member” button:

groups

Group “Maintainers” can add and remove members from the group, regardless of their Organization Role.

Project-scoped API tokens

Alongside org-level API tokens, project-scoped API tokens can now be created from the project settings:

project-scoped-api-tokens

These tokens can be used to authenticate the Chainloop CLI/API, perform attestations, or operate in the context of a specific project. This adds security guarantees that a team can’t interfere with another team’s project and removes the bottleneck of requiring an organization administrator to provide such tokens.