Permissions Supported by the Authentication Layer
The NocodilySuite IAM API controls access to resources through roles.
Roles can be assigned to service accounts, organization members, and team members,
and the required role is defined for each type of operation (read, update, delete, etc.).
Basic Authorization Rules
- Admin users can perform all operations
- Service accounts apply only to admin endpoints. Service accounts are not used for end-user-facing endpoints
- Custom roles — you can register custom roles in the IAM API and apply role-based authorization to microservice API endpoints
Built-in Roles
Roles for Service Accounts
| Role | Overview |
|---|---|
| ServiceAccountAdmin | Equivalent to admin. All operations are permitted |
| ServiceAccountWriter | Can create, update, and delete organization and team data |
| ServiceAccountReader | Read-only access to organization and team data |
Roles for Organization Members
| Role | Overview |
|---|---|
| OrganizationAdmin | Organization administrator. Can update/delete organization info and manage members |
| OrganizationManager | Can update member permissions and manage storage |
| OrganizationMember | Can view organization info and member list |
Roles for Team Members (when team concept is enabled)
| Role | Overview |
|---|---|
| TeamAdmin | Team administrator. Can update/delete team info and manage members |
| TeamManager | Can add team members, update permissions, and manage storage |
| TeamMember | Can view team info and member list |
Required Roles per Operation — Team Concept Disabled
Role requirements for a simple configuration without teams within an organization.
| Operation | Required Roles |
|---|---|
| Update/delete organization master info; add/remove organization admin members | ServiceAccountAdmin / ServiceAccountWriter / OrganizationAdmin |
| Update member permissions or storage | ServiceAccountAdmin / ServiceAccountWriter / OrganizationAdmin / OrganizationManager |
| View organization master info, members, or storage | ServiceAccountAdmin / ServiceAccountWriter / ServiceAccountReader / OrganizationAdmin / OrganizationManager / OrganizationMember |
Required Roles per Operation — Team Concept Enabled
Role requirements for a configuration where teams exist under an organization.
| Operation | Required Roles |
|---|---|
| Update/delete organization master info; add organization admin members | ServiceAccountAdmin / ServiceAccountWriter / OrganizationAdmin |
| Create a team | ServiceAccountAdmin / ServiceAccountWriter / OrganizationAdmin |
| Update/delete team master info | ServiceAccountAdmin / ServiceAccountWriter / OrganizationAdmin / TeamAdmin |
| Add team members, update permissions, or manage storage | ServiceAccountAdmin / ServiceAccountWriter / OrganizationAdmin / TeamAdmin / TeamManager |
| View team master info, members, or storage | ServiceAccountAdmin / ServiceAccountWriter / ServiceAccountReader / OrganizationAdmin / TeamAdmin / TeamManager / TeamMember |
Custom Roles
In addition to the built-in roles above, you can register custom roles in the IAM API to meet your business requirements.
Custom roles can be applied to microservice API endpoints to enforce access control such as
"only users with this role can access this endpoint."
See also → Authentication Foundation API (IAM API)