Roles & Permissions

NightOps provides flexible access control to ensure team members have the right level of access.

Built-in Roles

Owner

Full organization control including:

All Admin permissions
Manage billing and subscription
Delete organization
Transfer ownership

note

Every organization must have at least one Owner. Ownership can be transferred but not removed.

Admin

Full operational control:

Manage team members and roles
Create/edit/delete providers
Create/edit/delete collections and schedules
Start/stop any resource
View all activity logs
Configure integrations

Member

Day-to-day operations:

View all resources (or restricted set)
Start/stop collections they have access to
View their own activity
Use Slack commands (if enabled)

Viewer

Read-only access:

View resources and collections
View schedules and status
View cost information
Cannot make any changes

Permission Matrix

Permission	Owner	Admin	Member	Viewer
Organization
View organization	✓	✓	✓	✓
Edit organization settings	✓	✓	-	-
Manage billing	✓	-	-	-
Delete organization	✓	-	-	-
Team
View members	✓	✓	✓	✓
Invite members	✓	✓	-	-
Remove members	✓	✓	-	-
Change member roles	✓	✓	-	-
Providers
View providers	✓	✓	✓	✓
Add providers	✓	✓	-	-
Edit providers	✓	✓	-	-
Delete providers	✓	✓	-	-
Sync providers	✓	✓	✓	-
Collections
View all collections	✓	✓	*	*
Create collections	✓	✓	-	-
Edit collections	✓	✓	*	-
Delete collections	✓	✓	-	-
Start/stop collections	✓	✓	*	-
Assets
View all assets	✓	✓	*	*
Start/stop assets	✓	✓	*	-
Edit asset settings	✓	✓	-	-
Schedules
View schedules	✓	✓	✓	✓
Create schedules	✓	✓	-	-
Edit schedules	✓	✓	-	-
Delete schedules	✓	✓	-	-
Integrations
Configure Slack	✓	✓	-	-
Use Slack commands	✓	✓	✓	-
Configure calendar	✓	✓	✓	✓
Activity
View own activity	✓	✓	✓	✓
View all activity	✓	✓	-	-
Export activity logs	✓	✓	-	-

* = Based on collection access grants

Collection-Level Access

Members and Viewers can have access restricted to specific collections.

Access Levels

Level	Can View	Can Start	Can Stop	Can Edit
Full Access	✓	✓	✓	✓
Operator	✓	✓	✓	-
Start Only	✓	✓	-	-
View Only	✓	-	-	-

Granting Access

Go to Team → Member → Access
Click Add Collection Access
Select the collection
Choose access level
Save

Example Configuration

Developer: Alice
├── staging-frontend     Full Access
├── staging-api          Operator
├── staging-database     View Only
└── production-*         No Access

QA Engineer: Bob
├── qa-environment       Full Access
├── staging-*            View Only
└── production-*         No Access

On-Call Engineer: Charlie
├── staging-*            Full Access
├── production-*         Start Only (for emergencies)

Custom Roles

Create custom roles for specific needs:

Create Custom Role

Go to Settings → Roles
Click Create Role
Name the role (e.g., "On-Call Engineer")
Select base permissions
Add/remove specific permissions
Save

Custom Role Example: On-Call

name: On-Call Engineer
description: Can start staging resources during incidents

permissions:
  # Can view everything
  collections.view: all
  assets.view: all
  schedules.view: true

  # Can start staging collections
  collections.start:
    - staging-*

  # Cannot stop or edit
  collections.stop: none
  collections.edit: none

  # Can use Slack
  slack.commands: true

Custom Role Example: Cost Viewer

name: Cost Viewer
description: Read-only access focused on cost visibility

permissions:
  collections.view: all
  assets.view: all
  schedules.view: true
  activity.view: own

  # No operational permissions
  collections.start: none
  collections.stop: none
  providers.sync: false

Inline Policies

For fine-grained control, use inline policies attached to individual users:

Policy Structure

{
  "version": "1",
  "statements": [
    {
      "effect": "allow",
      "actions": ["collections.start", "collections.stop"],
      "resources": ["collection:staging-*"]
    },
    {
      "effect": "deny",
      "actions": ["collections.stop"],
      "resources": ["collection:staging-database"]
    }
  ]
}

Policy Examples

Allow starting specific collections:

{
  "effect": "allow",
  "actions": ["collections.start"],
  "resources": [
    "collection:staging-frontend",
    "collection:staging-api"
  ]
}

Deny stopping databases:

{
  "effect": "deny",
  "actions": ["collections.stop", "assets.stop"],
  "resources": ["asset:rds_instance:*"]
}

Time-based access:

{
  "effect": "allow",
  "actions": ["collections.start", "collections.stop"],
  "resources": ["collection:*"],
  "conditions": {
    "time_of_day": {
      "after": "08:00",
      "before": "20:00",
      "timezone": "America/New_York"
    }
  }
}

Slack Command Permissions

Control who can use Slack commands:

Command	Required Permission
`/nightops status`	collections.view
`/nightops start <collection>`	collections.start for that collection
`/nightops stop <collection>`	collections.stop for that collection
`/nightops list`	collections.view
`/nightops help`	Any authenticated user

Restrict Slack Commands

Go to Settings → Integrations → Slack

Under Command Permissions, configure:

/nightops start  → Admins, Members with collection access
/nightops stop   → Admins only
/nightops status → All authenticated users

Save

Audit Trail

All permission checks are logged:

View Access Logs

Go to Settings → Activity Log
Filter by Type: Access

See entries like:

2024-01-15 10:30  alice@company.com  ALLOWED  collections.start  staging-api
2024-01-15 10:25  bob@company.com    DENIED   collections.stop   production-web

Export for Compliance

Go to Settings → Activity Log
Click Export
Select date range and format (CSV, JSON)
Download

Best Practices

Principle of Least Privilege

Start with minimal permissions and add as needed:

New developer joins:
Start as Viewer
After onboarding, grant Member role
Add specific collection access for their team
Only grant Admin if managing infrastructure

Separation of Duties

Development:
└── Developers can manage dev/staging

Operations:
└── Ops team can manage all environments

Production:
└── Require Admin role + approval workflow

Regular Access Reviews

Monthly or quarterly:

Review all member access
Remove access for departed team members
Verify access levels are still appropriate
Audit custom roles and policies

Document Access Decisions

Keep records of:

Why users have specific access
When access was granted
Who approved the access

Troubleshooting

"Permission Denied" Error

Check user's role
Check collection-specific access grants
Check for deny policies
Verify the collection exists

Cannot Grant Access

Only Owners and Admins can manage access
Cannot grant more access than you have
Cannot modify Owner permissions

Slack Command Not Working

Verify user is in NightOps organization
Check Slack account is linked
Verify command permissions in settings
Check collection access grants

Next Steps

Add team members — Invite your team
Set up Slack — Enable team commands
View schedule examples — Configure automation

Built-in Roles​

Owner​

Admin​

Member​

Viewer​

Permission Matrix​

Collection-Level Access​

Access Levels​

Granting Access​

Example Configuration​

Custom Roles​

Create Custom Role​

Custom Role Example: On-Call​

Custom Role Example: Cost Viewer​

Inline Policies​

Policy Structure​

Policy Examples​

Slack Command Permissions​

Restrict Slack Commands​

Audit Trail​

View Access Logs​

Export for Compliance​

Best Practices​

Principle of Least Privilege​

Separation of Duties​

Regular Access Reviews​

Document Access Decisions​

Troubleshooting​

"Permission Denied" Error​

Cannot Grant Access​

Slack Command Not Working​

Next Steps​