Roles and Permissions
CRA Evidence uses role-based access control to manage what people can do. Every user has an organisation role, and may also have team roles if your organisation uses teams.
Organisation Roles
When someone joins your organisation, they're assigned one of four roles: Owner, Admin, Member, or Viewer. Each role includes all the permissions of the roles below it.
Owner
Owners have complete control over the organisation. They can:
- Access and modify billing settings
- Delete the organisation
- Promote others to Owner
- Everything Admins, Members, and Viewers can do
Every organisation must have at least one Owner. The person who created the organisation is automatically the first Owner. You cannot remove the last Owner.
Owners are typically founders, C-level executives, or IT directors who need ultimate control.
Admin
Admins can manage the organisation's day-to-day operations but cannot delete it or access billing. They can:
- Invite new members (up to Admin level)
- Remove members
- Change member roles (except to/from Owner)
- Configure organisation settings
- Manage SSO and SCIM
- Create and manage API keys
- Access the audit log
- Everything Members and Viewers can do
Admins are typically team leads, engineering managers, or compliance officers.
Member
Members are active contributors who work with products and compliance data. They can:
- Create, edit, and delete products
- Create, edit, and delete versions
- Upload and manage SBOMs, HBOMs, and VEX documents
- Upload and manage compliance documents
- View and update vulnerabilities
- Export technical files
- Everything Viewers can do
Members cannot change organisation settings or invite other users. This role suits developers, DevOps engineers, and compliance analysts who do the hands-on work.
Viewer
Viewers have read-only access. They can:
- View products and versions
- View SBOMs and documents
- View vulnerability information
- View compliance status
- Download exports
Viewers cannot create, edit, or delete anything. This role is for stakeholders who need visibility without editing capability, such as executives reviewing compliance dashboards, external auditors, or consultants.
Permission Matrix
Here's what each role can do at a glance:
| Action | Viewer | Member | Admin | Owner |
|---|---|---|---|---|
| View products, versions, artifacts | Yes | Yes | Yes | Yes |
| Download exports | Yes | Yes | Yes | Yes |
| Create/edit products | No | Yes | Yes | Yes |
| Upload SBOMs and documents | No | Yes | Yes | Yes |
| Manage vulnerabilities | No | Yes | Yes | Yes |
| Delete products/versions | No | Yes | Yes | Yes |
| Invite members | No | No | Yes | Yes |
| Remove members | No | No | Yes | Yes |
| Change member roles | No | No | Yes (not Owner) | Yes |
| Configure settings | No | No | Yes | Yes |
| Manage API keys | No | No | Yes | Yes |
| Manage SSO/SCIM | No | No | Yes | Yes |
| View audit log | No | No | Yes | Yes |
| Access billing | No | No | No | Yes |
| Delete organisation | No | No | No | Yes |
| Promote to Owner | No | No | No | Yes |
Team Roles
If your organisation uses teams, members have a separate role within each team. Team roles are independent of organisation roles.
Team Lead
Team Leads have full control over their team's products. They can:
- Add and remove team members
- Change team member roles
- Update team settings (name, description, colour)
- Create and edit products assigned to the team
- Manage all artifacts for team products
Team Member
Team Members can work with the team's products. They can:
- Create and edit products assigned to the team
- Upload SBOMs and documents for team products
- Manage vulnerabilities for team products
They cannot add or remove other team members or change team settings.
Team Viewer
Team Viewers can see the team's products but cannot make changes. This is useful for cross-functional stakeholders who need to monitor another team's compliance status.
How Roles Interact
Organisation roles set the baseline. Team roles can further restrict access to specific products.
A person who is an Admin at the organisation level but a Viewer on a specific team can still do Admin things for non-team products, but can only view (not edit) that team's products.
If a product isn't assigned to any team, access follows organisation-level roles only.
Checking Your Role
You can see your current role in the user menu at the top right of the screen. It shows your organisation role.
To see your role in a specific team, go to Settings > Teams and find the team. Your role appears next to your name in the member list.
Common Scenarios
"I can't access Settings." Settings are restricted to Admins and Owners. Ask an Admin to upgrade your role if you need access.
"I can view products but can't edit them." You're a Viewer. Ask an Admin to change your role to Member if you need to make changes.
"I can't invite anyone." Invitation requires Admin or Owner role. Ask someone with those permissions to send the invitation.
"I can't see the billing page." Billing is Owner-only. If you need to manage the subscription, ask the current Owner to promote you or make the changes themselves.
"I can edit some products but not others." Those products are probably assigned to a team where you're a Viewer. Ask a Team Lead to change your team role, or ask to be added to the team.
Changing Roles
Owners and Admins can change member roles from Settings > Members. Find the person and select a new role from the dropdown.
Keep in mind:
- Admins cannot make anyone an Owner
- Admins cannot demote an Owner
- Only Owners can transfer ownership
- You cannot demote yourself if you're the last Owner
Best Practices
Default to Viewer or Member. Most people don't need Admin access. Give the minimum role needed.
Reserve Owner for one or two people. Having multiple Owners creates ambiguity about who's responsible.
Use teams for departmental separation. Instead of making everyone a Member at the organisation level, create teams and use team roles for finer control.
Review roles periodically. When people change jobs or leave the company, update their access promptly.
Document who has what. For compliance purposes, keep a record of who has elevated access and why.
Related Documentation
- Team Management for creating and managing teams
- Organisation Settings for configuration options
- API Keys for programmatic access (Admin+ only)
Help us improve. What was missing or unclear?