# Role Management Interlynk uses role-based access control (RBAC) to govern what users and service tokens can do within an organization. Three system roles are provided by default, and administrators can create custom roles with granular permissions. *** ## Default Roles Interlynk ships with three system roles that cannot be modified or deleted: | Role | Description | | ------------ | ---------------------------------------------------------------------------------------------------------------- | | **Admin** | Full access to all features and settings. Can manage users, roles, integrations, and organization configuration. | | **Operator** | Can manage products, SBOMs, policies, integrations, and users. Cannot delete the organization or modify billing. | | **Viewer** | Read-only access to products, SBOMs, vulnerabilities, policies, and user lists. Cannot make changes. | {% hint style="warning" %} Permissions associated with default roles Admin, Operator, and Viewer are read-only and cannot be modified. {% endhint %} ### Permission Matrix The table below lists all permissions and their assignment across default roles. | Permission | Admin | Operator | Viewer | | -------------------------- | :---: | :------: | :----: | | **Organization** | | | | | View organization | ✓ | ✓ | ✓ | | Update organization | ✓ | — | — | | Delete organization | ✓ | — | — | | **Products** | | | | | View products | ✓ | ✓ | ✓ | | Create products | ✓ | ✓ | — | | Update products | ✓ | ✓ | — | | Delete products | ✓ | ✓ | — | | Edit share link | ✓ | ✓ | — | | Edit product automations | ✓ | ✓ | — | | Edit product policies | ✓ | ✓ | — | | Edit product integrations | ✓ | ✓ | — | | Edit product settings | ✓ | ✓ | — | | **SBOMs** | | | | | View SBOMs | ✓ | ✓ | ✓ | | Update SBOMs | ✓ | ✓ | — | | Delete SBOMs | ✓ | ✓ | — | | Edit SBOM components | ✓ | ✓ | — | | Edit vulnerabilities | ✓ | ✓ | — | | Edit checks | ✓ | ✓ | — | | Sign SBOMs | ✓ | ✓ | — | | Reprocess SBOMs | ✓ | ✓ | — | | **Users** | | | | | View users | ✓ | ✓ | ✓ | | Invite users | ✓ | ✓ | — | | Edit user roles | ✓ | ✓ | — | | Edit teams | ✓ | ✓ | — | | Delete users | ✓ | ✓ | — | | **Vulnerabilities** | | | | | View feeds | ✓ | ✓ | ✓ | | Manage feeds | ✓ | ✓ | — | | Manage lists | ✓ | ✓ | — | | Manage custom fields | ✓ | ✓ | — | | **Licenses** | | | | | View licenses | ✓ | ✓ | ✓ | | Edit licenses | ✓ | ✓ | — | | **Policies** | | | | | View policies | ✓ | ✓ | ✓ | | Edit policies | ✓ | ✓ | — | | Run policy scans | ✓ | ✓ | — | | Delete policies | ✓ | ✓ | — | | **Support** | | | | | View support | ✓ | ✓ | ✓ | | Edit support | ✓ | ✓ | — | | Delete support | ✓ | ✓ | — | | View support levels | ✓ | ✓ | ✓ | | Edit support levels | ✓ | ✓ | — | | Delete support levels | ✓ | ✓ | — | | **Vendor Management** | | | | | View requests | ✓ | ✓ | ✓ | | Edit requests | ✓ | ✓ | — | | **Connections** | | | | | View connections | ✓ | ✓ | ✓ | | Edit connections | ✓ | ✓ | — | | Delete connections | ✓ | ✓ | — | | **Notifications** | | | | | View notification settings | ✓ | ✓ | ✓ | | Edit notification settings | ✓ | ✓ | — | | **API Tokens** | | | | | View API tokens | ✓ | ✓ | ✓ | | Manage API tokens | ✓ | ✓ | — | ### Use Cases for Default Roles | Role | Typical User | | ------------ | -------------------------------------------------------- | | **Admin** | Security team leads, platform owners, DevOps managers | | **Operator** | AppSec engineers, DevOps engineers, release managers | | **Viewer** | Developers, compliance auditors, management stakeholders | *** ## Custom Roles Custom roles allow you to define granular permission sets beyond the three defaults. Use custom roles to implement least-privilege access patterns. ### Creating Custom Roles 1. Navigate to **Settings > Organization > Roles**. 2. Click **Create Role**. 3. Enter a **Name** for the role (minimum 4 characters). Use a descriptive name like `AppSec Reviewer` or `CI Upload Agent`. 4. Select **Copy Permission From** to start with an existing role's permissions as a baseline. 5. Click **Create**. The new role is created with the copied permission set. You can then adjust individual permissions as needed. {% hint style="info" %} Role names must be unique within the organization (case-insensitive). {% endhint %} ### Deleting Custom Roles 1. Navigate to **Settings > Organization > Roles**. 2. Click the action menu on the role's row. 3. Select **Delete**. {% hint style="warning" %} Before deleting a custom role, reassign any users or service tokens that use it. Users with a deleted role will lose access until reassigned. {% endhint %} ### Granular Permission Selection Permissions are organized into categories. When creating or editing a custom role, select only the permissions required for the role's purpose. Refer to the permission matrix above for available permissions. ### Recommended Patterns | Custom Role | Permissions | Use Case | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | **AppSec Reviewer** | View organization, View products, View SBOMs, View policies, Edit vulnerabilities, View feeds, Manage feeds | Security analyst who triages vulnerabilities but does not manage infrastructure | | **Compliance Viewer** | View organization, View products, View SBOMs, View policies, View licenses, View feeds | Auditor or compliance officer with read-only access | | **CI Upload Agent** | View products, Create products, Update SBOMs, View API tokens, Manage API tokens | Service token role for CI/CD pipelines that only upload SBOMs | | **Policy Manager** | View organization, View products, View SBOMs, View policies, Edit policies, Run policy scans, Delete policies | User responsible for defining and maintaining security policies | | **Integration Admin** | View organization, View connections, Edit connections, Delete connections, View notification settings, Edit notification settings | User responsible for managing integrations and notifications | ### Bulk Role Assignment To assign a role to multiple users at once, use the **Bulk Apply** feature: 1. Navigate to **Settings > Organization > Roles**. 2. Select a role. 3. Use the bulk apply action to assign the role to selected users. *** ## Common Misconfigurations | Issue | Symptom | Fix | | --------------------------------------- | ------------------------------------ | --------------------------------------------------------------------- | | Custom role missing critical permission | User cannot perform expected action | Review the permission matrix and add the missing permission | | Service token assigned Admin role | Excessive permissions for automation | Create a minimal custom role and reassign the token | | All users assigned Admin | No effective access control | Implement role separation — most users should be Operators or Viewers | | Custom role deleted while in use | Affected users lose all access | Reassign users to another role before deleting | | Role name too short | Creation fails with validation error | Use at least 4 characters for role names | *** ## Recommended Best Practices * Start with the **Viewer** role and add permissions incrementally — it is easier to grant access than to revoke it. * Create **dedicated service token roles** with only the permissions CI/CD pipelines need (e.g., SBOM upload and product view). * Review role assignments **quarterly** as part of your security hygiene. * Use **descriptive role names** that communicate purpose (e.g., `Release Engineer` rather than `Custom Role 1`). * Document your custom roles and their intended use cases in your team's runbook. * Avoid creating too many custom roles — consolidate where possible to reduce management overhead.