Organization Role-Based Access Control (RBAC)
Control who can do what within your Monad organization using roles and permissions.
Overview
Every Monad organization uses role-based access control to manage user permissions. Key concepts:
- Roles are scoped to organizations — each user has exactly one role per organization.
- Roles contain granular permissions that control what a user can view, create, modify, or delete.
- Three default roles ship with every new organization. You can also create custom roles with any subset of permissions.
Default Roles
Every new organization is created with three protected roles that cannot be edited or deleted:
- Admin — Full access to all resources and settings, including user management, role management, organization settings, and SSO configuration.
- Contributor — Read/write access to pipelines, inputs, outputs, transforms, enrichments, secrets, API keys, and alert rules. Can view organization logs and metrics. Cannot manage users, roles, organization settings, or SSO connections.
- Reader — Read-only access across pipelines, inputs, outputs, transforms, enrichments, secrets, API keys, organization logs, and alert rules. Cannot create, modify, or delete any resources.
Permissions Matrix
The table below shows which permissions are included in each default role.
| Resource | Permission | Admin | Contributor | Reader |
|---|---|---|---|---|
| Pipelines | pipeline:read | ✓ | ✓ | ✓ |
pipeline:write | ✓ | ✓ | ||
pipeline:delete | ✓ | ✓ | ||
pipeline:data:read | ✓ | ✓ | ✓ | |
pipeline:data:write | ✓ | ✓ | ||
pipeline:logs:read | ✓ | ✓ | ✓ | |
pipeline:metrics:read | ✓ | ✓ | ✓ | |
| Inputs | input:read | ✓ | ✓ | ✓ |
input:write | ✓ | ✓ | ||
input:delete | ✓ | ✓ | ||
| Outputs | output:read | ✓ | ✓ | ✓ |
output:write | ✓ | ✓ | ||
output:delete | ✓ | ✓ | ||
| Transforms | transform:read | ✓ | ✓ | ✓ |
transform:write | ✓ | ✓ | ||
transform:delete | ✓ | ✓ | ||
| Enrichments | enrichment:read | ✓ | ✓ | ✓ |
enrichment:write | ✓ | ✓ | ||
enrichment:delete | ✓ | ✓ | ||
| Secrets | secrets:read | ✓ | ✓ | ✓ |
secrets:write | ✓ | ✓ | ||
secrets:delete | ✓ | ✓ | ||
| API Keys | apikey:read | ✓ | ✓ | ✓ |
apikey:write | ✓ | ✓ | ||
apikey:delete | ✓ | ✓ | ||
| Alert Rules | alert_rule:read | ✓ | ✓ | ✓ |
alert_rule:write | ✓ | ✓ | ||
alert_rule:delete | ✓ | ✓ | ||
| Users | user:read | ✓ | ||
user:write | ✓ | |||
user:delete | ✓ | |||
| Roles | role:read | ✓ | ||
role:write | ✓ | |||
role:delete | ✓ | |||
| Organization | organization:write | ✓ | ||
organization:delete | ✓ | |||
organization:logs:read | ✓ | ✓ | ✓ | |
| SSO Connections | sso_connection:read | ✓ | ||
sso_connection:write | ✓ | |||
sso_connection:delete | ✓ |
Permissions Reference
All 37 organization permissions grouped by resource.
Pipelines
| Permission | Description |
|---|---|
pipeline:read | View and list all pipelines within the organization |
pipeline:write | Create new pipelines and update existing pipeline configurations |
pipeline:delete | Delete existing pipelines from the organization |
pipeline:data:read | View live data as it moves through the pipeline |
pipeline:data:write | Publish pipeline data to HTTP or TCP inputs |
pipeline:logs:read | Access and view execution logs for all pipelines |
pipeline:metrics:read | Access and view performance metrics and statistics for pipelines |
Inputs
| Permission | Description |
|---|---|
input:read | View and list all input configurations within the organization |
input:write | Create and modify input configurations for pipelines |
input:delete | Delete input configurations from the organization |
Outputs
| Permission | Description |
|---|---|
output:read | View and list all output configurations within the organization |
output:write | Create and modify output configurations for pipelines |
output:delete | Delete output configurations from the organization |
Transforms
| Permission | Description |
|---|---|
transform:read | View and list all transform configurations within the organization |
transform:write | Create and modify transform configurations for pipelines |
transform:delete | Delete transform configurations from the organization |
Enrichments
| Permission | Description |
|---|---|
enrichment:read | View and list all enrichment configurations within the organization |
enrichment:write | Create and modify enrichment configurations |
enrichment:delete | Delete enrichment configurations |
Secrets
| Permission | Description |
|---|---|
secrets:read | List and view secret metadata without exposing actual secret values |
secrets:write | Create, update, and manage secret values used in pipelines |
secrets:delete | Delete secrets from the organization |
API Keys
| Permission | Description |
|---|---|
apikey:read | View and list all API keys within the organization |
apikey:write | Create, regenerate, and manage API keys for system access |
apikey:delete | Delete API keys from the organization |
Alert Rules
| Permission | Description |
|---|---|
alert_rule:read | View and list all alert rules within the organization |
alert_rule:write | Create and modify alert rules |
alert_rule:delete | Delete alert rules from the organization |
Users
| Permission | Description |
|---|---|
user:read | View and list all users within the organization |
user:write | Invite new users to the organization and manage existing user accounts |
user:delete | Remove users from the organization |
Roles
| Permission | Description |
|---|---|
role:read | View and list all roles and their associated permissions |
role:write | Create, modify, and assign roles to users |
role:delete | Delete roles from the organization |
Organization
| Permission | Description |
|---|---|
organization:write | Update organization information such as name and description |
organization:delete | Delete the entire organization |
organization:logs:read | View organization-wide logs including API request logs |
SSO Connections
| Permission | Description |
|---|---|
sso_connection:read | View and list all SSO connections within the organization |
sso_connection:write | Create and modify SSO connections |
sso_connection:delete | Delete SSO connections |
Managing Roles
Navigate to your organization and select the Roles tab to manage roles.
Viewing Roles
The Roles tab displays a searchable table of all roles in your organization. Each row shows the role name, description, and available actions.
Creating a Custom Role
- Click Create role.
- Enter a name and description for the role.
- Select permissions from the grouped checklist. You can select or deselect all permissions within a category at once.
- Click Create to save the role.
Note: You can only assign permissions that your own role has. This prevents privilege escalation — you cannot create a role with more access than you currently have.
Editing a Custom Role
- Click the edit action on the role row.
- Modify the name, description, or permissions as needed.
- Click Save to apply changes.
Protected roles (Admin, Contributor, Reader) cannot be edited.
Deleting a Custom Role
- Click the delete action on the role row.
- Confirm the deletion.
Only custom roles with no assigned users can be deleted. Protected roles (Admin, Contributor, Reader) cannot be deleted.
Managing Users
Navigate to your organization and select the Users tab to manage users.
Viewing Users
The Users tab shows all organization members with their email address, assigned role, and authentication provider.
Inviting a User
- In the invite form, enter the user's email address.
- Select a role from the dropdown.
- Click Invite to send the invitation.
Changing a User's Role
- Click the edit action on the user row.
- Select a new role from the dropdown.
- Confirm the change.
Removing a User
- Click the remove action on the user row.
- Confirm the removal.
Note: You cannot remove yourself from the organization.
API Key Roles
API keys also have role assignments within your organization. When you create or manage an API key, you assign it a role just like you would a user. The permissions for that API key are determined by its assigned role — the same permission system applies.
Manage API key roles under the API Keys tab in your organization settings.