Roles

In this section, you will find details about roles in the StackSpot Account.

In StackSpot, roles categorize users, or groups of users, and define what account permissions those users have, such as what data they can read or what account assets they can modify. When you grant permissions to roles, any user or group of users associated with that role receives that permission.

See the default StackSpot roles below:

Role	Description	Permissions
Account Holder (`account_holder`)	This role has permission to execute any action within the StackSpot Platform.	This role has access to all permissions in the StackSpot Platform
System Administrator (`sys_admin`)	Manages the main functionalities of StackSpot as a system, for example, permission management, SSO, and SCM configuration. This role is supposed to help the Account Holder.	`studio:view`; `studio:view_private`; `plugin:download`; `action:download`; `documentation:view`; `workspace:create`; `workspace:view`; `application:view`; `shared_infra:view`; `connection_interface:view`; `api:view`; `api:create`; `api:update`;`environment:create`; `environment:update`;`product:view`; `cloud_provider:create`;`cloud_provider:update`; `managed_cloud_account:view`; `managed_cloud_account:create`;`connection_interface:view`; `cloud_resource:view`;`custom_cloud_account:create`; `custom_cloud_account:update`;`finops_reports:view`; `support:view`; `support:open`; `support:close`; `support:view_org`; `guardrail_status:view`; `external_invite:associate`;`group:associate`; `group:create`;`group:update`; `group:delete`; `group:disassociate`; `roles:associate`; `roles:disassociate`; `member:associate`; `member:create`; `member:update`; `scm:create`; `scm:view`; `scm:update`;`user_scm:view`; `user_scm:create`; `scm:update`; `scm:update`; `invite:delete`; `scm:update`; `scm:update`; `user_scm:update`; `credentials:create`; `credentials:update`; `credentials:delete`; `credentials:associate`; `credentials:disassociate`; `pat:view`; `pat:create`;`resource:view`; `partner:create`; `permission:view`; `stack:view`;`finops_reports:view`; `finops_contract:create`; `finops_contract:view`;`finops_contract:update`; `finops_billing_account:create`; `finops_billing_account:view`;`finops_billing_account:update`; `finops_allocation_cost:view`; `finops_export:download`;`connection_interface:view_secret`; `workflow:invoke`; `account_workflow:create`; `account_workflow:delete`; `account_workflow_context:view`; `account_workflow_context:update`; `workspace_workflow_context:view`;`workspace_workflow_context:update`; `user_scm:view`; `user_scm:delete`;`feature_flag:associate`; `feature_flag:disassociate`; `apiv2:view`;`monitoring:view`; `account:update`; `account_variable:view`;`account_variable:create`; `account_variable:update`; `account_variable:delete`; `workflow:download`; `foundation:create`; `foundation:update`; `foundation:delete`; `member:view_secret`; `account:view_secret`; `member:view_details`; `feature_flag:associate`; `studio:view`; `studio:view`; `studio:view`; `studio:view`.
Account Administrator (`account_admin`)	This role has permission to help manage the entities in a StackSpot Account, such as Workspace, Studios and environments. But it does not have permission to make security and integration configurations, such as integrating SSO and SCM.	`studio:create`; `studio:update`; `studio:delete`; `studio:view`; `studio:change_visibility`; `studio:associate_workspace`; `studio:disassociate_workspace`;`studio:view_private`; `plugin:publish`; `plugin:unpublish`; `plugin:deprecate`; `plugin:download`; `action:deprecate`; `action:download`; `action:publish`;`action:unpublish`; `stack:publish`; `stack:unpublish`; `stack:deprecate`;`stack:view`; `stack:create`; `stack:update`; `stack:setup`; `starter:deprecate`;`documentation:view`; `documentation:update`; `workspace:create`;`workspace:update`; `workspace:delete`; `workspace:view`; `stack:associate`; `stack:disassociate`; `stack:view`; `application:create`; `application:delete`;`application:update`; `application:deploy`; `application:rollback`;`application:view`; `shared_infra:create`; `shared_infra:delete`;`connection_interface:update`; `connection_interface:view`;`automatic_connection_interface:view`; `api:view`; `api:create`; `api:update`;`api:publish`; `api:unpublish`; `environment:create`; `environment:update`;`workspace_context:update`; `workspace_context:view`; `account_context:update`; `account_context:view`; `account_context:view`; `workspace_workflow:update`; `workspace_workflow:view`; `account_workflow:update`;`account_workflow:view`; `product:view`;`product:create`; `product:update`; `product:delete`;`product:publish`; `product:unpublish`; `cloud_provider:create`;`cloud_provider:update`; `custom_cloud_account:view`;`custom_cloud_account:create`; `custom_cloud_account:update`;`custom_cloud_account:delete`; `managed_cloud_account:view`;`managed_cloud_account:create`; `managed_cloud_account:disconnect`;`alerts:view`;`cloud_resource:view`; `report:download_studio`; `report:download_account`;`dashboard:view_studio`; `finops_reports:view`; `support:view`; `support:open`;`support:close`; `support:view_org`;`guardrail_status:view`;`partner:view`;`partner:update`; `partner:delete`; `api:associate`; `api:disassociate`;`api:grant_access`; `api:view_grant_access`; `product:associate`;`product:disassociate`; `user_scm:view`; `user_scm:create`; `user_scm:update`;`resource_type:view`; `pat:view`; `pat:create`; `stack:view`;`finops_reports:view`;`finops_contract:create`;`finops_contract:view`;`finops_contract:update`; `finops_billing_account:create`;`finops_billing_account:view`; `finops_billing_account:update`;`finops_allocation_cost:view`; `finops_export:download`;`connection_interface:view_secret`; `workflow:invoke`; `documentation:create`;`account_workflow:create`; `account_workflow:delete`;`account_workflow_context:view`; `account_workflow_context:update`;`workspace_workflow_context:view`; `workspace_workflow_context:update`;`user_scm:view`; `user_scm:delete`; `plugin:publish`; `action:publish`;`apiv2:create`; `apiv2:update`; `workspace_variable:create`;`workspace_variable:update`; `workspace_variable:view`; `resource:delete`;`plugin:usage_insights`; `stack:usage_insights`; `application:destroy`;`shared_infra:destroy`; `monitoring:view`; `account_variable:view`;`account_variable:create`; `account_variable:update`; `account_variable:delete`;`workflow:publish`; `workflow:download`; `runtime:view`; `deployment:view`;`deployment:create`; `workflow:unpublish`; `workflow:approve`;`organization:view`; `extension:view`; `member:view_secret`;`member:update_secret`; `member:delete_secret`; `member:create_secret`;`workspace:view_secret`; `workspace:update_secret`; `workspace:delete_secret`;`workspace:create_secret`; `account:view_secret`; `account:update_secret`;`account:delete_secret`; `account:create_secret`; `stack:archive`;`encryption:create`; `encryption:view`; `rate_limit_account:view`;`rate_limit_account:update`; `rate_limit_sc:view`; `rate_limit_sc:update`;`sso:setup`; `action:archive`; `workflow:usage_insights`; `member:view_details`;`workflow:archive`; `catalog_schema:create`; `catalog_schema:view`;`catalog_schema:update`; `catalog_schema:delete`; `catalog_schema:active`; `catalog_entry:create`; `catalog_entry:view`; `catalog_entry:update`; `catalog_entry:delete`.
Workspace Administrator (`workspace_admin`)	Manages one or more Workspaces. It defines standards (contexts), such as which Stacks can be used.	`studio:view`; `plugin:download`; `action:download`; `stack:view`; `documentation:view`; `workspace:create`; `workspace:update`; `workspace:delete`; `workspace:view`; `stack:associate`; `stack:disassociate`; `stack:view`; `application:create`; `application:delete`; `application:update`; `application:deploy`; `application:rollback`; `application:view`; `shared_infra:create`; `shared_infra:delete`; `shared_infra:update`; `shared_infra:deploy`; `shared_infra:rollback`; `shared_infra:destroy`; `shared_infra:view`; `connection_interface:create`; `connection_interface:delete`; `connection_interface:view`; `automatic_connection_interface:view`; `api:view`; `api:create`; `api:update`; `api:publish`; `workspace_context:update`; `workspace_context:view`; `workspace_workflow:view`; `account_workflow:view`; `product:view`; `product:publish`; `cloud_provider:update`; `custom_cloud_account:view`; `managed_cloud_account:view`; `managed_cloud_account:create`; `managed_cloud_account:disconnect`; `alerts:view`; `cloud_resource:view`; `support:view`; `support:open`; `support:close`; `api:view_grant_access`; `scm:create`; `user_scm:view`; `user_scm:create`; `user_scm:update`; `resource_type:view`; `pat:view`; `pat:create`; `stack:view`; `account_workflow_context:view`; `workspace_workflow_context:view`; `workspace_workflow_context:update`; `apiv2:create`; `apiv2:update`; `apiv2:view`; `apiv2:consume`; `workspace_variable:create`; `workspace_variable:update`; `workspace_variable:view`; `application:archive`; `application:destroy`; `shared_infra:destroy`; `account_variable:view`; `workflow:download`; `foundation:view`; `member:view_secret`; `workspace:view_secret`; `account:view_secret`; `catalog_schema:view`; `catalog_entry:create`; `catalog_entry:view`; `catalog_entry:update`; `catalog_entry:delete`; `spot:update_secret`.
Studio Administrator (`studio_admin`)	Manages a studio, defining which stacks can be published for the account and which content can be deprecated or removed.	`studio:update`; `studio:delete`; `studio:view`; `studio:change_visibility`; `studio:associate_workspace`; `studio:disassociate_workspace`; `studio:view_private`; `plugin:unpublish`; `plugin:deprecate`; `plugin:download`; `static_link:create`; `static_link:delete`; `action:unpublish`; `action:deprecate`; `action:download`; `stack:publish`; `stack:unpublish`; `stack:deprecate`; `stack:view`; `stack:create`; `stack:update`; `stack:setup`; `starter:deprecate`; `documentation:view`; `documentation:update`; `workspace:view`; `managed_cloud_account:view`; `cloud_resource:view`; `report:download_studio`; `dashboard:view_studio`; `support:view`; `support:open`; `support:close`; `user_scm:view`; `user_scm:create`; `user_scm:update`; `pat:view`; `pat:create`; `stack:view`; `user_scm:view`; `user_scm:delete`; `apiv2:view`; `apiv2:consume`; `application:archive`; `plugin:usage_insights`; `stack:usage_insights`; `monitoring:view`; `account_variable:view`; `workflow:publish`; `workflow:download`; `workflow:unpublish`; `foundation:view`; `member:view_secret`; `workspace:view_secret`; `account:view_secret`; `account:update_secret`; `stack:archive`; `plugin:archive`; `action:archive`; `workflow:usage_insights`; `customized_workflow:publish`; `customized_workflow:deprecate`; `customized_workflow:unpublish`; `spot:view_secret`; `member:view_secret`.
Content Creator (`creator`)	They are responsible for creating content in the Studio such as Plugins, Actions, and Stacks.	`studio:view`; `studio:view_private`; `plugin:download`; `static_link:create`; `static_link:delete`; `action:download`; `stack:publish`; `stack:view`; `stack:create`; `stack:update`; `stack:setup`; `starter:deprecate`; `documentation:view`; `documentation:update`; `workspace:view`; `workspace_workflow:view`; `report:download_studio`; `dashboard:view_studio`; `user_scm:view`; `user_scm:create`; `user_scm:update`; `pat:view`; `pat:create`; `user_scm:view`; `user_scm:delete`; `plugin:publish`; `action:publish`; `apiv2:view`; `apiv2:consume`; `plugin:usage_insights`; `stack:usage_insights`; `account_variable:view`; `workflow:download`; `member:view_secret`; `workspace:view_secret`.
Developer (`dev`)	Developers use content within Workspaces and can create applications.	`studio:view`; `plugin:download`; `action:download`; `stack:view`; `documentation:view`; `workspace:view`; `stack:view`; `application:create`; `application:update`; `application:deploy`; `application:rollback`; `application:view`; `shared_infra:view`; `connection_interface:create`; `connection_interface:view`; `automatic_connection_interface:view`; `api:view`; `api:create`; `api:update`; `workspace_context:view`; `workspace_workflow:view`; `account_workflow:view`; `managed_cloud_account:view`; `alerts:view`; `cloud_resource:view`; `report:download_studio`; `support:view`; `support:open`; `support:close`; `user_scm:view`; `user_scm:create`; `user_scm:update`; `resource_type:view`; `pat:view`; `pat:create`.
Site Reliability Engineer (`sre`)	This role has permission to use content from Workspaces and can create Infrastructures.	`studio:view`;`plugin:download`; `action:download`; `stack:view`; `documentation:view`; `workspace:view`; `application:create`; `application:deploy`; `application:rollback`; `application:view`; `shared_infra:create`; `shared_infra:delete`; `shared_infra:update`; `shared_infra:deploy`; `shared_infra:rollback`; `shared_infra:view`; `connection_interface:create`; `connection_interface:view`; `api:view`; `api:create`; `api:update`; `workspace_context:update`; `workspace_context:view`; `workspace_workflow:view`; `custom_cloud_account:view`; `custom_cloud_account:create`; `custom_cloud_account:update`; `custom_cloud_account:delete`; `managed_cloud_account:view`; `managed_cloud_account:create`; `managed_cloud_account:disconnect`; `alerts:view`; `cloud_resource:view`; `support:view`; `support:open`; `support:close`; `guardrail_status:view`; `guardrail_status:create`; `user_scm:view`; `user_scm:create`; `user_scm:update`; `resource_type:view`; `pat:view`; `pat:create`; `user_scm:view`; `user_scm:delete`; `apiv2:view`; `apiv2:consume`; `account_variable:view`; `workflow:download`; `foundation:view`; `member:view_secret`; `workspace:view_secret`; `account:view_secret`; `spot:view_secret`.
Partner Administrator (`partner_admin`)	This role can manage the Partner Members from the Partner Account and their roles.	`api:view`; `product:view`; `partner:view`; `api:view_grant_access`; `member:create`; `member:view`; `invite:create`; `invite:view`; `client_application:create`; `client_application:view`; `api:view`; `user_scm:view`; `user_scm:delete`; `apiv2:consume`; `account_variable:view`; `member:view_secret`; `workspace:view_secret`; `account:view_secret`.
Partner Member (`partner_member`)	This role can consume APIs and Products the StackSpot client made available to the Partner Account.	``api:view`;` product:view`;` partner:view`;` api:view_grant_access`;` member:view`;` invite:view`;` client_application:view`;` api:view`;` user_scm:view`;` user_scm:delete`;` apiv2:consume`;` account_variable:view`;` member:view_secret`;` workspace:view_secret`;` account:view_secret`.
Member (`member`)	This role can view, update, delete and create secrets.	`studio:view`; `plugin:download`; `action:download`; `stack:view`; `workspace:view`; `application:deploy`; `application:rollback`; `shared_infra:deploy`; `shared_infra:rollback`; `connection_interface:create`; `support:view`; `support:open`; `user_scm:view`; `user_scm:create`; `user_scm:update`; `pat:view`; `pat:create`; `user_scm:view`; `user_scm:delete`; `user_scm:delete`; `apiv2:consume`; `account_variable:view`; `workflow:download`; `member:view_secret`; `account:view_secret`.

warning

In certain roles, you may have permission to view Stacks, but you might not be able to view Studios. This restriction exists because, to access a Studio, your role must include specific permissions that allow access to one or more Studios.

Even though there are default StackSpot roles, you can:

Customize roles permissions of existing roles;
Create a new role with different combinations of permissions.

Example

You can give Studio management permissions to a Dev, the most basic type of a StackSpot role.

Configure roles

Requirements

You must have Account Holder or SysAdmin permissions;

The permissions settings occur in the StackSpot portal. You can change the role (and its permission set) of members of an account.

Only roles that have access to permission settings can add and remove members from a given group.

info

Every member added to the Account starts as Dev.
Account members with their role changed must re-authenticate in the Portal and the CLI to update it.
A member can have more than one role.

To learn how to customize permissions, create new roles, and add roles to members of your Account, follow the steps below:

Customizing Roles

Step 1. Access the Account Portal directly via the link, or after logging into the StackSpot Portal, click on your profile avatar;

Step 2. Click on 'Organization' option;

Step 3. Click on Access Management;

Step 4. Navigate to the 'Roles and Permissions' section;

Step 5. Click on the role type for which you want to change the permissions;

Step 6. In the 'Permissions' tab, select the resource for which you want to enable or disable actions. For example:

For the Developer role, select the 'Dashboard' resource and enable the 'view_studio' action.

Step 7. Turn on or off the actions you want;

You've customized a role.

How to edit the name and description of a Role

Step 1. Access the Account Portal directly via the link, or after logging into the StackSpot Portal, click on your profile avatar;

Step 2. Click on 'Organization' option;

Step 3. Now click on 'Access Management';

Step 4. Navigate to the 'Roles and Permissions' section;

Step 5. Click on the role type you wish to edit for the name and description;

Step 6. Click on the edit button;

Step 7. Make your changes, then click 'Submit'.

Create roles

You can also create roles according to your Organization's needs. To do this, follow the steps below:

Step 1. Access the Account Portal directly via the link, or after logging into the StackSpot Portal, click on your profile avatar;

Step 2. Click the 'Organization' option;

Step 3. Now, click on Access Management;

Step 4. Click on the 'Roles and Permissions' section;

Step 5. Click on the 'Create role' button;

Step 6. Enter the name and description you want to assign to the new role.

Step 7. Use the search bar to find the role you just created, and click on it;

Step 8. In the 'Permissions' tab, select the feature for which you want to enable or disable actions. For example:

Select the 'Dashboard' resource and enable the 'view_studio' action.

Repeat this process until you have enabled all the desired permissions.

You've created a new role for your Organization.

How to delete a Role

Step 1. Access the Account Portal directly via the link, or after logging into the StackSpot Portal, click on your profile avatar;

Step 2. Click on the 'Organization' option;

Step 3. Navigate to the Access Management section;

Step 4. Click on the 'Roles and Permissions' section;

Step 5. Search for the Role you want to delete;

Step 6. Click the 'Remove' button next to the selected role;

Step 7. To confirm, click the ''Delete role button.

You've deleted a role for your Organization.

Next Steps

See how to add roles to Groups;
See how to add roles directly to an account member;
See all Permissions from StackSpot.