Skip to main content

Role-based access control in Nubis

Role-Based Access Control lets you manage access through roles instead of one-off permission decisions. In Nubis, roles are attached to organization members and can also back service accounts used for automation.

Key concepts

Roles

The repo currently defines system roles around this model:
  • Owner: Full access across the organization, including IAM and billing.
  • Admin: Broad administrative access without full owner-level control.
  • Member: General access that is usually narrower and more read-oriented by default.

Permissions

Permissions are granular capabilities grouped across services such as:
  • Compute and scaling
  • Networking and DNS
  • Storage and databases
  • Billing and credits
  • IAM, service accounts, and webhooks

Identities

Team members and service accounts are the identities that receive roles.

Default roles

Owner

  • Full account control
  • Billing management
  • Role and member administration
  • Full infrastructure access

Admin

  • Create and manage resources
  • Manage team members
  • View billing
  • Broad operational access

Member

  • Common day-to-day access
  • Usually oriented around read or scoped operations
  • Can be replaced or narrowed by custom roles
  • Good base for standard collaborators

Getting started

1

Invite team members

Open the organization members view and invite the teammate by email.
2

Assign a role

Start with the narrowest role that still lets the person do their job.
3

Review access regularly

Revisit role membership as teams, projects, and automation needs change.

Custom roles

Create custom roles when the default role set is too broad or too narrow:
  1. Start from the permissions your team actually uses.
  2. Group them into a role that matches a real responsibility.
  3. Reuse that role for both teammates and service accounts where appropriate.
  4. Review role membership regularly as teams and systems change.

Best practices

Start with least privilege. Grant only the permissions a person or automation path actually needs.
  • Keep billing and IAM access limited to trusted operators.
  • Use service accounts instead of personal keys for CI/CD and automation.
  • Remove stale identities quickly when teammates leave or systems are retired.