Access controls & Roles

​

Overview

Ormi uses role-based access control (RBAC) to manage what users can view and manage within a project. Each project has four roles:

• Owner
• Admin
• Manager
• User

​

Owner

The owner has full control over the project.

​

What owners can do

• All admin permissions
• Manage billing and payment methods
• Delete the project
• Transfer project ownership

There is exactly one Owner per project.

​

Admin

admins manage the project and its members but do not have billing or deletion rights.

​

What admins can do

• Rename the project
• Add or remove project members
• Assign roles to members
• Deploy and delete subgraphs
• Create and manage API keys
• View usage and billing information (read-only)

​

What admins cannot do

• Manage billing
• Delete the project
• Transfer project ownership

​

Manager

Managers are responsible for day-to-day operational tasks.

​

What managers can do

• Deploy subgraphs
• Delete subgraphs
• Create and manage API keys

​

What managers cannot do

• Manage project members
• Change project settings
• Access billing
• Delete the project

​

User

Users have read-only access.

​

What users can do

• View subgraphs
• Query data
• View API keys (read-only)
• View project configuration (read-only)

​

What users cannot do

• Deploy or delete subgraphs
• Create API keys
• Manage members
• Access billing or project settings

​

Changing the role of a team member

You must delete the member first and reinvite the member with the new role.

​

Notes on permission

• Permissions are project-scoped. Roles apply per project, not globally.
• Only owners and admins can manage project membership and roles.
• Billing access is restricted to owners only.
• API keys can be created by admins and managers, but users have read-only access.
• Some permissions may vary depending on plan or environment configuration.