Skip to main content

​
Atlas Roles (Provider Console β€” Platform-Scoped)

Atlas operates in a single platform organization context. No customer org isolation needed.
RoleDescriptionCapabilities
super_adminFull platform controlAll operations, system config, all impersonation
provider_adminOrganization managementCreate/manage customer orgs, impersonate users, modify settings
provider_operatorInfrastructure operationsProvision servers, manage resources, no impersonation
provider_revenueBusiness & revenue operationsView all data, analytics, billing, pricing, audit logs (read-only infra)
supportCustomer supportRead-only access, impersonate Arc users for troubleshooting (read-only)

​
Atlas Permission Matrix

Permissionsuper_adminprovider_adminprovider_operatorprovider_revenuesupport
system:*βœ…βŒβŒβŒβŒ
tenants:*βœ…βœ…βŒβŒβŒ
servers:*βœ…βœ…βœ…βŒβŒ
servers:readβœ…βœ…βœ…βœ…βœ…
clusters:*βœ…βœ…βœ…βŒβŒ
clusters:readβœ…βœ…βœ…βœ…βœ…
projects:*βœ…βœ…βŒβŒβŒ
projects:readβœ…βœ…βœ…βœ…βœ…
analytics:readβœ…βœ…βŒβœ…βŒ
analytics:exportβœ…βœ…βŒβœ…βŒ
billing:*βœ…βœ…βŒβœ…βŒ
pricing:writeβœ…βœ…βŒβœ…βŒ
audit:readβœ…βœ…βŒβœ…βœ…
users:readβœ…βœ…βœ…βœ…βœ…
users:impersonateβœ…βœ…βŒβŒβŒ
users:impersonate:readonlyβœ…βœ…βŒβŒβœ…

​
Arc Roles (Customer Portal β€” Multi-Tenant)

Arc uses BetterAuth’s organization plugin for multi-tenancy. Roles exist at two levels: organization and project.

​
Organization Roles

RoleScopeDescription
ownerAll projectsFull org control, destructive actions, ownership transfer
adminAll projectsOrg settings, billing, member management, all project access
memberAssigned projectsAccess visibility: 'org' projects as implicit viewer, own usage

​
Owner vs Admin Boundary

Admins can build up, only owners can tear down. This prevents a rogue admin from nuking the org or locking out the account holder.
ActionOwnerAdminMember
Delete organizationβœ…βŒβŒ
Transfer ownershipβœ…βŒβŒ
Downgrade/cancel billing planβœ…βŒβŒ
Remove other adminsβœ…βŒβŒ
Invite/promote to adminβœ…βœ…βŒ
Manage billing methods & invoicesβœ…βœ…βŒ
View org-wide usageβœ…βœ…βŒ
View own project usageβœ…βœ…βœ…
All other org settingsβœ…βœ…βŒ
Create projectsβœ…βœ…βŒ
Access all projectsβœ…βœ…βŒ
Access assigned projectsβœ…βœ…βœ…

​
Project Roles

RoleCapabilities
adminFull project control, manage project members, change visibility
memberDeploy, manage resources within project
viewerRead-only access to project resources

​
Project Visibility

ValueBehavior
'org' (default)All org members have implicit viewer access
'members_only'Only explicit project members + org owner/admin can access

​
Access Control Matrix

Org RoleProject VisibilityProject RoleAccess Level
owneranyanyβœ… Full access
adminanyanyβœ… Full access
memberorgnoneβœ… Implicit viewer
membermembers_onlynone❌ No access
membermembers_onlyviewerβœ… Read-only
membermembers_onlymemberβœ… Member
membermembers_onlyadminβœ… Project admin

​
Permissions Schema

​
Arc Organization Permissions

const arcOrgRolePermissions = {
  owner: [
    'org:*',              // All org operations
    'org:delete',         // Delete organization
    'org:transfer',       // Transfer ownership
    'org:billing',        // Manage billing methods, invoices, plan
    'org:billing:usage:all', // View org-wide usage
    'org:members:admin',  // Invite/remove admins
    'projects:*',         // All project operations
    'clusters:*',         // All cluster operations
  ],
  admin: [
    'org:admin',          // Org settings
    'org:write',          // Modify org properties
    'org:billing',        // Manage billing methods, invoices
    'org:billing:usage:all', // View org-wide usage
    'org:members:admin',  // Invite/promote members
    'projects:*',         // All project operations
    'clusters:*',         // All cluster operations
  ],
  member: [
    'org:read',           // View org info
    'org:billing:usage:own', // View own project usage
    'projects:read',      // View org-visible projects
    'clusters:read',      // View clusters in accessible projects
  ],
};

​
Arc Project Permissions

const arcProjectRolePermissions = {
  admin: [
    'projects:admin',     // Full project control
    'projects:members',   // Manage project members
    'projects:settings',  // Change visibility, settings
    'clusters:*',         // All cluster operations in project
  ],
  member: [
    'clusters:read',      // View clusters
    'clusters:write',     // Deploy, manage resources
    'clusters:kubeconfig', // Access kubeconfig
  ],
  viewer: [
    'projects:read',      // View project info
    'clusters:read',      // View clusters (read-only)
  ],
};

​
Billing Permission Breakdown

PermissionDescriptionOwnerAdminMember
org:billingManage payment methods, invoices, plan changesβœ…βœ…βŒ
org:billing:usage:allView usage across all projects in orgβœ…βœ…βŒ
org:billing:usage:ownView usage for projects user belongs toβœ…βœ…βœ…

​
First User & Default Behavior

EventResult
User creates organizationUser gets owner role
Org creationAuto-creates a β€œdefault” project
Owner on default projectAuto-assigned as project admin
New project createdvisibility: 'org' by default (can set members_only on creation)
Project creatorAuto-assigned as project admin

​
Schema Representation

// Organization membership (BetterAuth organization plugin)
organization_members {
  user_id       // FK β†’ auth.users
  organization_id // FK β†’ auth.organizations
  role          // 'owner' | 'admin' | 'member'
}

// Projects
projects {
  id
  organization_id // FK β†’ auth.organizations
  name
  slug
  visibility    // 'org' | 'members_only' β€” default 'org'
  created_by    // FK β†’ auth.users
  ...
}

// Project membership
project_members {
  user_id       // FK β†’ auth.users
  project_id    // FK β†’ projects
  role          // 'admin' | 'member' | 'viewer'
}

​
Permission Checking Logic

// Resolve effective access for a user on a project
function getProjectAccess(
  orgRole: 'owner' | 'admin' | 'member',
  projectVisibility: 'org' | 'members_only',
  projectRole?: 'admin' | 'member' | 'viewer' | null,
): 'admin' | 'member' | 'viewer' | 'none' {
  // Owner/admin get full access to everything
  if (orgRole === 'owner' || orgRole === 'admin') return 'admin';

  // Explicit project role always takes precedence
  if (projectRole) return projectRole;

  // Org members get implicit viewer on org-visible projects
  if (orgRole === 'member' && projectVisibility === 'org') return 'viewer';

  return 'none';
}