Skip to content
varsafe
Esc
navigateopen⌘Jpreview
On this page

Roles & Permissions

The six team roles, what each can do, and how protected environments change secret access.

Every team member has exactly one role. Roles control three things: secret access (read/write, per environment), team management (members, settings, API tokens), and billing. Use this page to pick the least-privileged role that covers what a member needs.

The Six Roles

Role Summary
Owner Full access including team deletion and ownership transfer
Admin Full access to secrets, environments, and team management
Developer Read/write secrets in non-protected environments, read-only in protected
Operator Read-only access to all environments including protected
Viewer Read-only access to non-protected environments
Billing Billing management only — no access to secrets

Permission Matrix

Secrets

Role Non-Protected Environments Protected Environments
Owner Read/Write Read/Write
Admin Read/Write Read/Write
Developer Read/Write Read-only
Operator Read-only Read-only
Viewer Read-only No access
Billing No access No access

“Write” covers creating, updating, deleting, and rotating secrets, plus environment rollback.

Team and Account Management

Capability Owner Admin Developer Operator Viewer Billing
Manage members, invites, and team settings Yes Yes No No No No
Create, rotate, and revoke API tokens Yes Yes No No No No
Manage billing (checkout, portal, billing email) Yes Yes No No No Yes
Transfer team ownership Yes No No No No No
Delete the team Yes No No No No No

Protected Environments

Any environment can be marked protected in its settings. In a newly created project, production is protected by default.

Protection restricts writes to owners and admins and narrows read access:

  • Developer — keeps read access, loses write access
  • Operator — read access everywhere is unchanged (already read-only)
  • Viewer — loses access entirely (protected environments are hidden)

Use protection for any environment where an accidental change has production impact.

Assigning Roles

  • Roles are assigned when inviting a member and can be changed later from the team page by an owner or admin
  • The default role for a new invite is developer
  • Owner is not assignable. Every team has exactly one owner — the assignable roles are admin, developer, operator, viewer, and billing

Ownership Transfer

The owner can transfer ownership to another member from the team settings. After the transfer, the previous owner becomes an admin, and the change is recorded in the audit log as a team.ownership_transferred event.

Deactivated Members

A deactivated member keeps their role but loses all access — secret reads and writes, team management, and billing — until reactivated. Deactivation and reactivation are recorded in the audit log.

API Tokens Are Not Role-Scoped

API tokens do not carry a member role. A token grants read/write access to the secrets of its team, optionally narrowed to specific projects and environments. Only owners and admins can create or manage tokens.