Roles & Permissions (RBAC)

This table maps personas to typical permissions. Actual permission names and scope may vary per deployment.

Persona           Key permissions
---------------   -------------------------------------------------------
Platform Admin    manage_platform, manage_tenants, manage_risk_defaults,
                  manage_secrets, manage_domains, view_audit_all

Tenant Admin      manage_tenant, manage_risk_config, manage_channels,
                  manage_approver_groups, view_audit_tenant, apply_changes

Operator (SRE)    read_automations, request_approval, apply_changes,
                  view_metrics, view_jobs, trigger_rollback

Reader            read_automations, view_metrics

Developer*        (private docs) internal APIs and code contribution

Notes

Platform Admin is an organizational role. Tenant Admin applies within a tenant only.
Permissions can be integrated with your IdP or local auth; consult your deployment’s security configuration.
Approvals may be required even for admins depending on risk policy.