Roles & Permissions

Role-based access control for ATLAS. Each role maps to specific scopes that gate API and UI operations.

Role Definitions

admin

Full access to all capabilities, teams, runtime, and admin functions.

capability:readcapability:writecapability:manageteam:readteam:writeteam:manageruntime:planadmin:*

editor

Can create and edit capabilities and teams. Cannot delete or manage admin settings.

capability:readcapability:writeteam:readteam:writeruntime:plan

viewer

Read-only access to the catalog, teams, and governance dashboards.

capability:readteam:read

team_lead

Can manage their own team and its capabilities. Cannot modify other teams.

capability:readcapability:writeteam:readteam:writeteam:manage

Scope	Operations	Roles
capability:read	GET /v1/capabilities, /v1/catalog	all
capability:write	POST, PATCH /v1/capabilities	admin, editor, team_lead
capability:manage	DELETE /v1/capabilities	admin
team:read	GET /v1/teams	all
team:write	POST, PATCH /v1/teams	admin, editor, team_lead
team:manage	DELETE /v1/teams	admin, team_lead
runtime:plan	POST /v1/runtime/*, health probes, gateway status	admin, editor
admin:*	POST /admin/seed, /admin/migrate, settings	admin