> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenable.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Roles and Permissions
> Control access with role-based permissions
## Overview
Zenable uses Role-Based Access Control (RBAC) to manage who can do what within your organization. The system follows these principles:
* **Permissions** are atomic actions (e.g., "edit requirements")
* **Roles** bundle permissions together (e.g., "Admin" has many permissions)
* **Users** are assigned roles directly or via identity provider groups
## System Roles
Zenable provides six predefined roles that cover common access patterns:
| Role | Description | Key Capabilities |
| ------------------------- | ------------------------------------- | --------------------------------------------------------------------- |
| **Viewer** | Read-only access | View requirements, users, integrations, settings |
| **Contributor** | Create and edit content | All Viewer permissions + write/export requirements |
| **Admin** | Full admin access (billing read-only) | All Contributor + manage users, roles, integrations, audit logs |
| **Owner** | Complete access | All Admin + billing management |
| **Billing Administrator** | Financial access | View everything + manage billing and invoices |
| **Security Auditor** | Audit + governance access | View/export audit logs, view requirements, guardrails, and governance |
Custom roles are available on Enterprise plans. Contact us to learn more.
## RBAC Audit Logging
RBAC Audit logging is available on **Professional** and **Enterprise** plans only. Log exporting requires an **Enterprise** plan.
All role and permission assignments and revocations are logged for compliance, including any provided reason.
Audit logs cannot be deleted by users regardless of role.
Access audit logs via the **Audit** section in the management console or through the `audit:read` permission.
## Role Permission Matrix
| Permission | Viewer | Contributor | Admin | Owner | Billing Admin | Security Auditor |
| ---------------------- | :----: | :---------: | :---: | :---: | :-----------: | :--------------: |
| requirements:read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| requirements:write | | ✓ | ✓ | ✓ | | |
| requirements:delete | | | ✓ | ✓ | | |
| requirements:export | | ✓ | ✓ | ✓ | | |
| context:read | ✓ | ✓ | ✓ | ✓ | ✓ | |
| context:write | | ✓ | ✓ | ✓ | | |
| scopes:read | ✓ | ✓ | ✓ | ✓ | ✓ | |
| scopes:write | | ✓ | ✓ | ✓ | | |
| guardrails:read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| guardrails:write | | ✓ | ✓ | ✓ | | |
| findings:read | ✓ | ✓ | ✓ | ✓ | | |
| findings:manage | | ✓ | ✓ | ✓ | | |
| users:read | ✓ | ✓ | ✓ | ✓ | ✓ | |
| users:invite | | | ✓ | ✓ | | |
| users:remove | | | ✓ | ✓ | | |
| users:manage\_roles | | | ✓ | ✓ | | |
| billing:read | ✓ | ✓ | ✓ | ✓ | ✓ | |
| billing:manage | | | | ✓ | ✓ | |
| billing:view\_invoices | | | | ✓ | ✓ | |
| audit:read | | | ✓ | ✓ | | ✓ |
| audit:export | | | ✓ | ✓ | | ✓ |
| governance:read | ✓ | ✓ | ✓ | ✓ | | ✓ |
| governance:manage | | | ✓ | ✓ | | |
| governance:delete | | | ✓ | ✓ | | |
| integrations:read | ✓ | ✓ | ✓ | ✓ | ✓ | |
| integrations:manage | | | ✓ | ✓ | | |
| settings:read | ✓ | ✓ | ✓ | ✓ | ✓ | |
| settings:manage | | | ✓ | ✓ | | |
| feature\_flags:read | | | ✓ | ✓ | | |
| feature\_flags:manage | | | ✓ | ✓ | | |
| marketplace:publish | | | | | | |
## Permissions by Category
### Requirements
| Permission | Description |
| --------------------- | --------------------------------------------------------- |
| `requirements:read` | View and search requirements |
| `requirements:write` | Create and edit requirements |
| `requirements:delete` | Permanently delete requirements and associated guardrails |
| `requirements:export` | Export requirements to external formats |
Deleting a requirement is permanent and also deletes all guardrails associated with that requirement. This action cannot be undone.
### Context
| Permission | Description |
| --------------- | ---------------------------------------------------- |
| `context:read` | View reviewer contexts at customer and tenant levels |
| `context:write` | Create, edit, and delete reviewer contexts |
### Scopes
| Permission | Description | Minimum Tier |
| -------------- | ------------------------------------------ | ------------ |
| `scopes:read` | View scope definitions | Professional |
| `scopes:write` | Create, edit, and delete scope definitions | Professional |
### Guardrails
| Permission | Description | Minimum Tier |
| ------------------ | ----------------------------------- | ------------ |
| `guardrails:read` | View guardrails | Professional |
| `guardrails:write` | Create, edit, and delete guardrails | Professional |
### Findings
| Permission | Description | Minimum Tier |
| ----------------- | ----------------------------------------- | ------------ |
| `findings:read` | View code review findings and resolutions | Professional |
| `findings:manage` | Create, update, and resolve findings | Professional |
### Users
| Permission | Description |
| -------------------- | ------------------------ |
| `users:read` | View team members |
| `users:invite` | Invite new users |
| `users:remove` | Remove users from tenant |
| `users:manage_roles` | Assign and revoke roles |
### Billing
| Permission | Description |
| ----------------------- | ------------------------ |
| `billing:read` | View billing information |
| `billing:manage` | Modify subscription |
| `billing:view_invoices` | Download invoices |
### Audit
| Permission | Description | Minimum Tier |
| -------------- | ----------------- | ------------ |
| `audit:read` | View audit logs | Professional |
| `audit:export` | Export audit logs | Enterprise |
### Governance
| Permission | Description | Minimum Tier |
| ------------------- | --------------------------------------------------------------- | ------------ |
| `governance:read` | View governance domains and evidence | Professional |
| `governance:manage` | Create and edit governance domains and map requirements to them | Professional |
| `governance:delete` | Delete governance domains from the tenant taxonomy | Professional |
Deleting a governance domain is permanent. Requirements mapped to the domain must be reassigned or explicitly unmapped as part of the deletion flow.
### Integrations
| Permission | Description |
| --------------------- | ----------------------------------- |
| `integrations:read` | View configured integrations |
| `integrations:manage` | Add, remove, configure integrations |
### Settings
| Permission | Description |
| ----------------- | --------------------------- |
| `settings:read` | View tenant settings |
| `settings:manage` | Modify tenant configuration |
### Feature Flags
| Permission | Description |
| ---------------------- | ---------------------------- |
| `feature_flags:read` | View feature flags |
| `feature_flags:manage` | Enable/disable feature flags |
### Marketplace
| Permission | Description | Minimum Tier |
| --------------------- | ------------------------------------------------ | ------------ |
| `marketplace:publish` | Publish new versions of marketplace requirements | Enterprise |
**Need help?** Contact us at [hello@zenable.io](mailto:hello@zenable.io)