Atlas Roles (Provider Console β Platform-Scoped)
Atlas operates in a single platform organization context. No customer org isolation needed.| Role | Description | Capabilities |
|---|---|---|
super_admin | Full platform control | All operations, system config, all impersonation |
provider_admin | Organization management | Create/manage customer orgs, impersonate users, modify settings |
provider_operator | Infrastructure operations | Provision servers, manage resources, no impersonation |
provider_revenue | Business & revenue operations | View all data, analytics, billing, pricing, audit logs (read-only infra) |
support | Customer support | Read-only access, impersonate Arc users for troubleshooting (read-only) |
Atlas Permission Matrix
| Permission | super_admin | provider_admin | provider_operator | provider_revenue | support |
|---|---|---|---|---|---|
system:* | β | β | β | β | β |
tenants:* | β | β | β | β | β |
servers:* | β | β | β | β | β |
servers:read | β | β | β | β | β |
clusters:* | β | β | β | β | β |
clusters:read | β | β | β | β | β |
projects:* | β | β | β | β | β |
projects:read | β | β | β | β | β |
analytics:read | β | β | β | β | β |
analytics:export | β | β | β | β | β |
billing:* | β | β | β | β | β |
pricing:write | β | β | β | β | β |
audit:read | β | β | β | β | β |
users:read | β | β | β | β | β |
users:impersonate | β | β | β | β | β |
users:impersonate:readonly | β | β | β | β | β |
Arc Roles (Customer Portal β Multi-Tenant)
Arc uses BetterAuthβs organization plugin for multi-tenancy. Roles exist at two levels: organization and project.Organization Roles
| Role | Scope | Description |
|---|---|---|
owner | All projects | Full org control, destructive actions, ownership transfer |
admin | All projects | Org settings, billing, member management, all project access |
member | Assigned projects | Access visibility: 'org' projects as implicit viewer, own usage |
Owner vs Admin Boundary
Admins can build up, only owners can tear down. This prevents a rogue admin from nuking the org or locking out the account holder.| Action | Owner | Admin | Member |
|---|---|---|---|
| Delete organization | β | β | β |
| Transfer ownership | β | β | β |
| Downgrade/cancel billing plan | β | β | β |
| Remove other admins | β | β | β |
| Invite/promote to admin | β | β | β |
| Manage billing methods & invoices | β | β | β |
| View org-wide usage | β | β | β |
| View own project usage | β | β | β |
| All other org settings | β | β | β |
| Create projects | β | β | β |
| Access all projects | β | β | β |
| Access assigned projects | β | β | β |
Project Roles
| Role | Capabilities |
|---|---|
admin | Full project control, manage project members, change visibility |
member | Deploy, manage resources within project |
viewer | Read-only access to project resources |
Project Visibility
| Value | Behavior |
|---|---|
'org' (default) | All org members have implicit viewer access |
'members_only' | Only explicit project members + org owner/admin can access |
Access Control Matrix
| Org Role | Project Visibility | Project Role | Access Level |
|---|---|---|---|
owner | any | any | β Full access |
admin | any | any | β Full access |
member | org | none | β Implicit viewer |
member | members_only | none | β No access |
member | members_only | viewer | β Read-only |
member | members_only | member | β Member |
member | members_only | admin | β Project admin |
Permissions Schema
Arc Organization Permissions
Arc Project Permissions
Billing Permission Breakdown
| Permission | Description | Owner | Admin | Member |
|---|---|---|---|---|
org:billing | Manage payment methods, invoices, plan changes | β | β | β |
org:billing:usage:all | View usage across all projects in org | β | β | β |
org:billing:usage:own | View usage for projects user belongs to | β | β | β |
First User & Default Behavior
| Event | Result |
|---|---|
| User creates organization | User gets owner role |
| Org creation | Auto-creates a βdefaultβ project |
| Owner on default project | Auto-assigned as project admin |
| New project created | visibility: 'org' by default (can set members_only on creation) |
| Project creator | Auto-assigned as project admin |