Roles and Permissions

Overview

Bytebase employs RBAC (Role-Based-Access-Control) and provides two role sets at the workspace and project level:

  • Workspace roles: Admin, DBA, Member.
  • Project roles: Owner, Developer, Releaser, Querier, Exporter, Viewer.

The workspace role maps to the role in an organization, while the project level role maps to the role in a specific team or project. Every user is assigned a workspace role, and if a particular user is involved in a particular project, then she will also be assigned a project role accordingly.

org-role-mapping

Above diagram describes the mapping between an engineering org and the corresponding roles in the Bytebase workspace. Note, a particular user can be assigned multiple roles as well:

  • A user can only be assigned one of the workspace roles.
  • In a particular project, a user can be assigned one of the project roles, while a user can be assigned different project roles in the different projects.

Real-world scenarios:

  • Organizations may not establish a dedicated DBA or platform engineering group. In such case, usaually the application engineering group head and the tech leads will wear those hats. Say a user named Alice can be a Workspace DBA and a Project Owner for Project Apollo at the same time.

  • An application developer could be involved in multiple projects. In such case, that engineer would also be assigned project roles in different projects respectively. Say a user named Bob can be a Workspace Member, a Project Owner for Project Apollo and a Project Developer for Project Mars at the same time.

Workspace roles

By default, the first registered user is granted the Admin role, all following registered users are granted Member role. Admin can update any user's role later.

Workspace PermissionMemberDBAAdmin
Change own name and passwordโœ”๏ธโœ”๏ธโœ”๏ธ
Add new userโœ”๏ธ
View all usersโœ”๏ธโœ”๏ธโœ”๏ธ
Change any user's roleโœ”๏ธ
De-activate/re-activate userโœ”๏ธ
Change any user's name and passwordโœ”๏ธ
Add environmentโœ”๏ธโœ”๏ธ
View all environmentsโœ”๏ธโœ”๏ธโœ”๏ธ
Edit environmentโœ”๏ธโœ”๏ธ
Reorder environmentโœ”๏ธโœ”๏ธ
Archive environmentโœ”๏ธโœ”๏ธ
View all instancesโœ”๏ธโœ”๏ธ
Add instanceโœ”๏ธโœ”๏ธ
Edit instanceโœ”๏ธโœ”๏ธ
Archive instanceโœ”๏ธโœ”๏ธ
Sync instance schemaโœ”๏ธโœ”๏ธ
Create databaseโœ”๏ธโœ”๏ธ
View all databasesโœ”๏ธโœ”๏ธ
Create projectโœ”๏ธโœ”๏ธโœ”๏ธ
View all projectsโœ”๏ธโœ”๏ธ
Create issueโœ”๏ธโœ”๏ธโœ”๏ธ
View all issuesโœ”๏ธโœ”๏ธ
Become issue assigneeโœ”๏ธโœ”๏ธ
Re-assign issueโœ”๏ธโœ”๏ธ
Add comment to all issuesโœ”๏ธโœ”๏ธโœ”๏ธ
Subscribe to all issuesโœ”๏ธโœ”๏ธโœ”๏ธ
Alter schemaโœ”๏ธโœ”๏ธโœ”๏ธ
Change dataโœ”๏ธโœ”๏ธโœ”๏ธ
Configure SQL Review Policyโœ”๏ธโœ”๏ธ
Manage version control system (VCS)โœ”๏ธ
Manage sensitive dataโœ”๏ธโœ”๏ธ
Manage database acccess controlโœ”๏ธโœ”๏ธ
Manage IM integrationโœ”๏ธ
Change logoโœ”๏ธ

Project roles

Any user can create project. By default, the project creator is granted the Project Owner role. Workspace DBA and Workspace Admin assume the Project Owner role for all projects.

Project PermissionProject QuerierProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Sync sheet from VCSโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Change project roleโœ”๏ธโœ”๏ธโœ”๏ธ
Edit projectโœ”๏ธโœ”๏ธโœ”๏ธ
Archive projectโœ”๏ธโœ”๏ธโœ”๏ธ
Configure UI/GitOps workflowโœ”๏ธโœ”๏ธโœ”๏ธ

Database permissions

Bytebase does not define database specific roles. Whether a user can perform certain action to the database is based on the user's Workspace role and the role of the project owning the database.

Database PermissionProject QuerierProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Queryโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Exportโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Take manual backupโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Enable backupโœ”๏ธโœ”๏ธโœ”๏ธ
Edit database labelโœ”๏ธโœ”๏ธโœ”๏ธ
Transfer databaseโœ”๏ธโœ”๏ธโœ”๏ธ

Sheet permissions

User can save sheets from SQL Editor. A sheet always belongs to a project. Sheet has three visibility levels:

  • Private
  • Project
  • Public

Private Sheet

PermissionCreatorProject QuerierProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Starโœ”๏ธ
Readโœ”๏ธ
Writeโœ”๏ธ
Deleteโœ”๏ธ

Project Sheet

PermissionCreatorProject QuerierProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Starโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Readโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Writeโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Deleteโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ

Public Sheet

PermissionCreatorProject QuerierProject ExporterProject DeveloperProject OwnerOthers
Starโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Readโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Writeโœ”๏ธโœ”๏ธ
Deleteโœ”๏ธโœ”๏ธ

Issue permissions

Issue PermissionAssigneeCreatorProject QuerierProject ExporterProject DeveloperProject OwnerWorkspace DBAWorkspace Admin
Create issueN/AN/Aโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Re-assign issueโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Change issue statusโœ”๏ธDepends*โœ”๏ธโœ”๏ธ
Edit name and descriptionโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Edit SQL Statementโœ”๏ธ
Subscribe/Unsubscribeโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ
Add commentโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธโœ”๏ธ

* Project Owner can change issue status when the current active Environment Rollout Policy is set to Require manual rolling out.

Edit this page on GitHub

Subscribe toย Newsletter

By subscribing, you agree with Bytebase's Terms of Service and Privacy Policy.