RBAC
Rivano uses role-based access control with three tenant-level roles and team-scoped overrides. Every API call and dashboard action is checked against the caller’s role and team memberships before the operation proceeds.
Roles
| Role | Description |
|---|---|
| owner | Full control. Can manage billing, SSO, delete the tenant, and assign any role. |
| admin | Manage agents, policies, teams, and API keys. Cannot change billing or delete the tenant. |
| member | Read access to traces and agents. Can create and manage their own API keys. |
Every tenant has at least one owner. You cannot remove the last owner from a tenant.
Assigning roles
Go to Settings → Team, find the member, and select a role from the dropdown. Role changes take effect immediately — active sessions pick up the new role on the next request.
Via the API:
curl -X POST https://api.rivano.ai/api/teams/{teamId}/members \
-H "Authorization: Bearer rv_api_..." \
-H "Content-Type: application/json" \
-d '{"userId": "user_abc123", "role": "admin"}'Permission matrix
| Permission | owner | admin | member |
|---|---|---|---|
| View agents | ✓ | ✓ | ✓ |
| Create / update agents | ✓ | ✓ | — |
| Delete agents | ✓ | ✓ | — |
| View traces | ✓ | ✓ | ✓ |
| View costs | ✓ | ✓ | ✓ |
| Create / update policies | ✓ | ✓ | — |
| Delete policies | ✓ | ✓ | — |
| Manage team members | ✓ | ✓ | — |
| Create API keys (own) | ✓ | ✓ | ✓ |
| Delete any API key | ✓ | ✓ | — |
| Configure SSO | ✓ | — | — |
| Manage billing | ✓ | — | — |
| Delete tenant | ✓ | — | — |
Team-scoped access
Sub-teams let you restrict or elevate access to specific resource groups without changing a user’s tenant-level role.
Creating a team
curl -X POST https://api.rivano.ai/api/teams \
-H "Authorization: Bearer rv_api_..." \
-H "Content-Type: application/json" \
-d '{
"name": "platform-ops",
"description": "Platform engineering — full policy access"
}'Configuring scopes
Set which resource types the team can access:
curl -X PUT https://api.rivano.ai/api/teams/{teamId}/scopes \
-H "Authorization: Bearer rv_api_..." \
-H "Content-Type: application/json" \
-d '{
"scopes": ["agents:read", "agents:write", "policies:read", "policies:write", "traces:read"]
}'Available scopes:
| Scope | Effect |
|---|---|
agents:read | View agent list and detail |
agents:write | Create, update, delete agents |
policies:read | View policies |
policies:write | Create, update, delete policies |
traces:read | View traces and spans |
costs:read | View cost breakdowns and budgets |
costs:write | Create and delete budgets |
teams:read | View team members |
teams:write | Manage team members |
keys:read | View API key metadata |
keys:write | Create and delete API keys |
compliance:read | View compliance reports |
audit:read | View audit log |
Adding members to a team
curl -X POST https://api.rivano.ai/api/teams/{teamId}/members \
-H "Authorization: Bearer rv_api_..." \
-H "Content-Type: application/json" \
-d '{"userId": "user_abc123"}'Team scopes layer on top of tenant-level roles. A member added to a team with policies:write scope can manage policies — but only within the resources that team is configured to access. Team scopes cannot exceed what an admin can do.
Permission checks
Rivano performs two checks on every request:
- Role check — Is the caller’s tenant-level role allowed to perform this action?
- Scope check — If the resource is team-gated, is the caller a member of a team with the required scope?
Either check failing returns a 403 Forbidden with { "error": "Insufficient permissions" }.
Related
- Multi-Tenancy — Tenant isolation and data boundaries
- Authentication — How roles are resolved from session and API key
- Teams API — REST endpoints for team management
- Dashboard Settings — Settings → Team UI walkthrough