Role Management
Interlynk uses role-based access control (RBAC) to govern what users and service tokens can do within an organization. Three system roles are provided by default, and administrators can create custom roles with granular permissions.
Default Roles
Interlynk ships with three system roles that cannot be modified or deleted:
Admin
Full access to all features and settings. Can manage users, roles, integrations, and organization configuration.
Operator
Can manage products, SBOMs, policies, integrations, and users. Cannot delete the organization or modify billing.
Viewer
Read-only access to products, SBOMs, vulnerabilities, policies, and user lists. Cannot make changes.
Permissions associated with default roles Admin, Operator, and Viewer are read-only and cannot be modified.
Permission Matrix
The table below lists all permissions and their assignment across default roles.
Organization
View organization
β
β
β
Update organization
β
β
β
Delete organization
β
β
β
Products
View products
β
β
β
Create products
β
β
β
Update products
β
β
β
Delete products
β
β
β
Edit share link
β
β
β
Edit product automations
β
β
β
Edit product policies
β
β
β
Edit product integrations
β
β
β
Edit product settings
β
β
β
SBOMs
View SBOMs
β
β
β
Update SBOMs
β
β
β
Delete SBOMs
β
β
β
Edit SBOM components
β
β
β
Edit vulnerabilities
β
β
β
Edit checks
β
β
β
Sign SBOMs
β
β
β
Reprocess SBOMs
β
β
β
Users
View users
β
β
β
Invite users
β
β
β
Edit user roles
β
β
β
Edit teams
β
β
β
Delete users
β
β
β
Vulnerabilities
View feeds
β
β
β
Manage feeds
β
β
β
Manage lists
β
β
β
Manage custom fields
β
β
β
Licenses
View licenses
β
β
β
Edit licenses
β
β
β
Policies
View policies
β
β
β
Edit policies
β
β
β
Run policy scans
β
β
β
Delete policies
β
β
β
Support
View support
β
β
β
Edit support
β
β
β
Delete support
β
β
β
View support levels
β
β
β
Edit support levels
β
β
β
Delete support levels
β
β
β
Vendor Management
View requests
β
β
β
Edit requests
β
β
β
Connections
View connections
β
β
β
Edit connections
β
β
β
Delete connections
β
β
β
Notifications
View notification settings
β
β
β
Edit notification settings
β
β
β
API Tokens
View API tokens
β
β
β
Manage API tokens
β
β
β
Use Cases for Default Roles
Admin
Security team leads, platform owners, DevOps managers
Operator
AppSec engineers, DevOps engineers, release managers
Viewer
Developers, compliance auditors, management stakeholders
Custom Roles
Custom roles allow you to define granular permission sets beyond the three defaults. Use custom roles to implement least-privilege access patterns.
Creating Custom Roles
Navigate to Settings > Organization > Roles.
Click Create Role.
Enter a Name for the role (minimum 4 characters). Use a descriptive name like
AppSec ReviewerorCI Upload Agent.Select Copy Permission From to start with an existing role's permissions as a baseline.
Click Create.
The new role is created with the copied permission set. You can then adjust individual permissions as needed.
Role names must be unique within the organization (case-insensitive).
Deleting Custom Roles
Navigate to Settings > Organization > Roles.
Click the action menu on the role's row.
Select Delete.
Before deleting a custom role, reassign any users or service tokens that use it. Users with a deleted role will lose access until reassigned.
Granular Permission Selection
Permissions are organized into categories. When creating or editing a custom role, select only the permissions required for the role's purpose. Refer to the permission matrix above for available permissions.
Recommended Patterns
AppSec Reviewer
View organization, View products, View SBOMs, View policies, Edit vulnerabilities, View feeds, Manage feeds
Security analyst who triages vulnerabilities but does not manage infrastructure
Compliance Viewer
View organization, View products, View SBOMs, View policies, View licenses, View feeds
Auditor or compliance officer with read-only access
CI Upload Agent
View products, Create products, Update SBOMs, View API tokens, Manage API tokens
Service token role for CI/CD pipelines that only upload SBOMs
Policy Manager
View organization, View products, View SBOMs, View policies, Edit policies, Run policy scans, Delete policies
User responsible for defining and maintaining security policies
Integration Admin
View organization, View connections, Edit connections, Delete connections, View notification settings, Edit notification settings
User responsible for managing integrations and notifications
Bulk Role Assignment
To assign a role to multiple users at once, use the Bulk Apply feature:
Navigate to Settings > Organization > Roles.
Select a role.
Use the bulk apply action to assign the role to selected users.
Common Misconfigurations
Custom role missing critical permission
User cannot perform expected action
Review the permission matrix and add the missing permission
Service token assigned Admin role
Excessive permissions for automation
Create a minimal custom role and reassign the token
All users assigned Admin
No effective access control
Implement role separation β most users should be Operators or Viewers
Custom role deleted while in use
Affected users lose all access
Reassign users to another role before deleting
Role name too short
Creation fails with validation error
Use at least 4 characters for role names
Recommended Best Practices
Start with the Viewer role and add permissions incrementally β it is easier to grant access than to revoke it.
Create dedicated service token roles with only the permissions CI/CD pipelines need (e.g., SBOM upload and product view).
Review role assignments quarterly as part of your security hygiene.
Use descriptive role names that communicate purpose (e.g.,
Release Engineerrather thanCustom Role 1).Document your custom roles and their intended use cases in your team's runbook.
Avoid creating too many custom roles β consolidate where possible to reduce management overhead.
Last updated