Roles

In this section, you will find details about roles in the StackSpot Account.

In StackSpot, roles categorize users, or groups of users, and define what account permissions those users have, such as what data they can read or what account assets they can modify. When you grant permissions to roles, any user or group of users associated with that role receives that permission.

See the default StackSpot roles below:

Role	Description	Permissions
Account Holder	This role has permission to execute any action within the StackSpot Platform.	This role has access to all permissions in the StackSpot Platform
System Administrator	Manages the main functionalities of StackSpot as a system, for example, permission management, SSO, and SCM configuration. This role is supposed to help the Account Holder.	`create_studio`; `view_studio`; `view_private_studio`; `download_plugin`; `create_workspace`; `view_workspace`; `view_application`; `view_shared_infra`; `view_automatic_connection_interface`; `view_api`; `create_environment`; `update_environment`; `view_product`; `create_cloud_provider`; `update_cloud_provider`; `view_custom_cloud_account`; `create_custom_cloud_account`; `update_custom_cloud_account`; `delete_custom_cloud_account`; `view_managed_cloud_account`; `create_managed_cloud_account`; `update_managed_cloud_account`; `delete_managed_cloud_account`; `view_cloud_resource`; `download_studio_report`; `download_account_report`; `view_partner`; `update_partner`; `delete_partner`; `associate_shared_account`; `disassociate_shared_account`; `view_sso`; `create_sso`; `update_sso`; `create_group`; `update_group`; `delete_group`; `associate_group`; `disassociate_group`; `view_group`; `create_roles`; `update_roles`; `delete_roles`; `associate_roles`; `disassociate_roles`; `view_roles`; `associate_member`; `create_member`; `update_member`; `view_member`; `create_scm`; `view_scm`; `update_scm`; `create_invites`; `update_invites`; `delete_invites`; `view_credentials`; `create_credentials`; `delete_credentials`; `associate_credentials`; `disassociate_credentials`; `view_resource_type`; `view_personal_access_token`; `create_personal_access_token`
Account Administrator	This role has permission to help manage the entities in a StackSpot Account, such as Workspace, Studios and environments. But it does not have permission to make security and integration configurations, such as integrating SSO and SCM.	`create_studio`; `update_studio`; `delete_studio`; `view_studio`; `change_visibility_studio`; `associate_workspace_studio`; `disassociate_workspace_studio`; `view_private_studio`; `publish_plugin`; `unpublish_plugin`; `deprecate_plugin`; `delete_plugin`; `download_plugin`; `create_static_link`; `delete_static_link`; `publish_action`; `unpublish_action`; `deprecate_action`; `download_action`; `publish_stack`; `unpublish_stack`; `deprecate_stack`; `view_stack`; `create_stack`; `update_stack`; `setup_stack`; `deprecate_starter`; `create_workspace`; `update_workspace`; `delete_workspace`; `view_workspace`; `associate_stack`; `disassociate_stack`; `view_stack`; `create_application`; `delete_application`; `update_application`; `deploy_application`; `rollback_application`; `destroy_application`; `view_application`; `create_shared_infra`; `delete_shared_infra`; `update_shared_infra`; `deploy_shared_infra`; `rollback_shared_infra`; `destroy_shared_infra`; `view_shared_infra`; `view_automatic_connection_interface`; `view_api`; `create_api`; `update_api`; `delete_api`; `publish_api`; `unpublish_api`; `create_environment`; `update_environment`; `update_workspace_context`; `view_workspace_context`; `update_account_context`; `view_account_context`; `update_workspace_workflow`; `view_workspace_workflow`; `update_account_workflow`; `view_account_workflow`; `view_product`; `create_product`; `update_product`; `delete_product`; `create_cloud_provider`; `update_cloud_provider`; `view_custom_cloud_account`; `create_custom_cloud_account`; `update_custom_cloud_account`; `delete_custom_cloud_account`; `view_managed_cloud_account`; `create_managed_cloud_account`; `update_managed_cloud_account`; `delete_managed_cloud_account`; `view_alert`; `view_cloud_resource`; `download_studio_report`; `download_account_report`; `view_studio_dashboard`; `view_partner`; `update_partner`; `delete_partner`; `associate_api`; `disassociate_api`; `grant_access_api`; `view_grant_access_api`; `associate_product`; `disassociate_product`; `view_member`; `update_invite`; `view_resource_type`; `view_personal_access_token`; `create_personal_access_token`
Workspace Administrator	Manages one or more Workspaces. It defines standards (contexts), such as which Stacks can be used.	`view_studio`; `download_plugin`; `download_action`; `view_stack`; `update_workspace`; `delete_workspace`; `view_workspace`; `associate_stack`; `disassociate_stack`; `view_stack`; `create_application`; `delete_application`; `update_application`; `deploy_application`; `rollback_application`; `destroy_application`; `view_application`; `create_shared_infra`; `delete_shared_infra`; `update_shared_infra`; `deploy_shared_infra`; `rollback_shared_infra`; `destroy_shared_infra`; `view_shared_infra`; `create_connection_interface`; `view_automatic_connection_interface`; `view_api`; `create_api`; `update_api`; `publish_api`; `view_workspace_context`; `update_workspace_context`; `update_workspace_workflow`; `view_workspace_workflow`; `view_product`; `create_product`; `update_product`; `delete_product`; `create_cloud_provider`; `update_cloud_provider`; `view_custom_cloud_account`; `create_custom_cloud_account`; `update_custom_cloud_account`; `delete_custom_cloud_account`; `view_managed_cloud_account`; `create_managed_cloud_account`; `update_managed_cloud_account`; `delete_managed_cloud_account`; `view_cloud_resource`; `view_grant_access_api`; `view_member`; `view_resource_type`; `view_personal_access_token`; `create_personal_access_token`
Studio Administrator	Manages a studio, defining which stacks can be published for the account and which content can be deprecated or removed.	`update_studio`; `delete_studio`; `view_studio`; `change_visibility_studio`; `associate_workspace_studio`; `disassociate_workspace_studio`; `view_private_studio`; `unpublish_plugin`; `deprecate_plugin`; `download_plugin`; `create_static_link`; `delete_static_link`; `unpublish_action`; `deprecate_action`; `download_action`; `publish_stack`; `unpublish_stack`; `deprecate_stack`; `view_stack`; `create_stack`; `update_stack`; `setup_stack`; `deprecate_starter`; `view_workspace`; `view_custom_cloud_account`; `view_managed_cloud_account`; `view_cloud_resource`; `download_studio_report`; `view_studio_dashboard`; `view_member`; `view_personal_access_token`; `create_personal_access_token`
Content Creator	They are responsible for creating content in the Studio such as Plugins, Actions, and Stacks.	`view_studio`; `view_private_studio`; `download_plugin`; `create_static_link`; `delete_static_link`; `publish_stack`; `unpublish_stack`;`view_stack`; `create_stack`; `update_stack`; `setup_stack`; `deprecate_starter`; `view_workspace`; `download_studio_report`; `view_studio_dashboard`; `associate_member`; `view_member`; `view_personal_access_token`; `create_personal_access_token`
Developer (Dev)	Developers use content within Workspaces and can create applications.	`view_studio`; `download_plugin`; `download_action`; `view_stack`; `view_workspace`; `create_application`; `update_application`; `deploy_application`; `rollback_application`; `view_application`; `create_connection_interface`; `view_automatic_connection_interface`; `view_api`; `create_api`; `update_api`; `view_workspace_context`; `view_account_context`; `view_workspace_workflow`; `view_product`; `view_custom_cloud_account`; `view_managed_cloud_account`; `view_cloud_resource`; `download_studio_report`; `view_member`; `view_resource_type`; `view_personal_access_token`; `create_personal_access_token`
Site Reliability Engineer (SRE)	This role has permission to use content from Workspaces and can create Infrastructures.	`view_studio`;`download_plugin`; `download_action`; `view_stack`; `view_workspace`; `create_application`; `deploy_application`; `rollback_application`; `view_application`; `create_shared_infra`; `delete_shared_infra`; `update_shared_infra`; `deploy_shared_infra`; `rollback_shared_infra`; `view_shared_infra`; `create_connection_interface`; `view_automatic_connection_interface`; `view_api`; `create_api`; `update_api`; `update_workspace_context`; `view_workspace_context`; `view_workspace_workflow`; `view_product`; `view_custom_cloud_account`; `create_custom_cloud_account`; `update_custom_cloud_account`; `delete_custom_cloud_account`; `view_managed_cloud_account`; `create_managed_cloud_account`; `update_managed_cloud_account`; `delete_managed_cloud_account`; `view_alerts`; `view_cloud_resources`; `view_member`; `view_resource_type`; `view_personal_access_token`; `create_personal_access_token`
Partner Administrator	This role can manage the Partner Members from the Partner Account and their roles.	`view_workspace`; `view_api`; `view_product`; `associate_member`; `create_member`; `create_invite`; `update_invite`; `view_personal_access_token`; `create_personal_access_token`
Partner Member	This role can consume APIs and Products the StackSpot client made available to the Partner Account.	`view_workspace`; `view_api`; `view_product`; `create_invite`; `update_invite`; `view_personal_access_token`; `create_personal_access_token`

Even though there are default StackSpot roles, you can:

Customize roles permissions of existing roles;
Create a new role with different combinations of permissions.

Example

You can give Studio management permissions to a Dev, the most basic type of a StackSpot role.

Configure roles

Requirements

You must have Account Holder or SysAdmin permissions;

The permissions settings occur in the StackSpot portal. You can change the role (and its permission set) of members of an account.

Only roles that have access to permission settings can add and remove members from a given group.

info

Every member added to the Account starts as Dev.
Account members with their role changed must re-authenticate in the Portal and the CLI to update it.
A member can have more than one role.

To learn how to customize permissions, create new roles, and add roles to members of your Account, follow the steps below:

Customizing Roles

Step 1. Access the Account Portal directly via the link, or after logging into the StackSpot Portal, click on your profile avatar;

Step 2. Select the 'Organization' option from the displayed menu;

Step 3. In the main menu of the Account Portal, click on Access Management;

Step 4. Click on the 'Roles and Permissions' section;

Step 5. Click on the role type you want to change the permissions;

Step 6. Within the 'Permissions' tab, select the resource you want to turn an action on or off. For example:

Within the Developer role, select the 'Dashboard' resource and enable the 'view_studio' action.

Step 7. Enable or turn off the actions you want;

Step 8. Click 'Save'.

You've customized a role.

How to edit the name and description of a Role

Step 1. Access the Account Portal directly via the link, or after logging into the StackSpot Portal, click on your profile avatar;

Step 2. Select the 'Organization' option from the displayed menu;

Step 3. In the main menu of the Account Portal, click on Access Management;

Step 4. Click on the 'Roles and Permissions' section;

Step 5. Click on the role type you want to change the name and description;

Step 6. Click on the edit button on the top right side of the screen;

Step 7. Edit the information and click 'Save'.

Create roles

You can also create roles according to your organization's needs. To do this, follow the steps below:

Step 1. Access the Account Portal directly via the link, or after logging into the StackSpot Portal, click on your profile avatar;

Step 2. Select the 'Organization' option from the displayed menu;

Step 3. In the main menu of the Account Portal, click on Access Management;

Step 4. Click on the 'Roles and Permissions' section;

Step 5. Click on the 'Create role' button;

Step 6. Type the name and description you want to give the new role;

Step 7. Search for the name of the role you created in the search bar and click on it.

Step 8. Within the 'Permissions' tab, select the feature you want to turn an action for on or off. For example:

Select the 'Dashboard' resource and enable the 'view_studio' action.

Repeat the process until you have enabled all the permissions you want.

Step 9. Click on the 'Save' button;

You've created a new role for your organization.

How to delete a Role

Step 1. Access the Account Portal directly via the link, or after logging into the StackSpot Portal, click on your profile avatar;

Step 2. Select the 'Organization' option from the displayed menu;

Step 3. In the main menu of the Account Portal, click on Access Management;

Step 4. Click on the 'Roles and Permissions' section;

Step 5. Search for the Role you want to delete;

Step 6. Click on the 'Remove' button next to it.

Next Steps

See how to add roles to Groups;
See how to add roles directly to an account member;
See all Permissions from StackSpot.