Roles and permissions
| If you authenticated your CircleCI account with GitLab or the CircleCI GitHub App, the content on this page applies to you. |
Manage user access to organizations and projects with CircleCI roles and associated permissions. By default, users can access projects based on roles set at an organization level. For more granular control, you can assign roles at the project level. Manage roles for groups of users with groups.
Quickstart
For instructions on managing roles and permissions, see the Manage roles and permissions page. For more information on managing project roles for groups of users, see the manage-groups page.
Organization role permissions matrix
The table below shows the permissions associated with each CircleCI organization role:
| ACTIONS | ORGANIZATION ROLES | ||
|---|---|---|---|
Admin | Contributor | Viewer | |
Organization | |||
Create namespace | |||
Manage namespace | |||
View org settings | |||
Manage org settings | |||
View org access | |||
Manage org access | |||
View org credentials | |||
View org policies | |||
Manage org policies | |||
View org connections | |||
Manage org connections | |||
Manage org credentials | |||
View org audit logs | |||
View plan | |||
Manage plan | |||
Insights | |||
View org insights | |||
Runner | |||
View runners | |||
Manage runners | |||
Projects | |||
View projects | |||
Create projects | |||
Manage project settings | |||
Contexts | |||
View contexts | |||
Use contexts | |||
Edit context variables | |||
Manage contexts | |||
Orbs | |||
Create/update orb | |||
View private orb | |||
Publish development orb | |||
Publish orb | |||
Webhooks | |||
View org webhooks | |||
Manage org webhooks | |||
View project webhooks | |||
Manage project webhooks | |||
Schedule | |||
View schedule | |||
Edit schedule | |||
Triggers | |||
View triggers | |||
Trigger re-run via the CircleCI web app | |||
Edit triggers | |||
Config sources | |||
View config sources | |||
Edit config sources | |||
Releases | |||
Create environment integration | |||
Delete environment integration | |||
View environment integration | |||
Create environment integration token | |||
Revoke environment integration token | |||
List environment integration token | |||
View components | |||
View releases | |||
Project role permissions matrix
The table below shows the permissions associated with each CircleCI project role:
| ACTIONS | PROJECT ROLES | ||
|---|---|---|---|
Admin | Contributor | Viewer | |
Projects | |||
View projects | |||
View project access | |||
View project credentials | |||
Manage project | |||
Webhooks | |||
View project webhooks | |||
Manage project webhooks | |||
Schedule | |||
View schedule | |||
Edit schedule | |||
Triggers | |||
View triggers | |||
Trigger build | |||
Edit triggers | |||
Contexts | |||
View contexts | |||
Use contexts | |||
Edit context variables | |||
Manage contexts | |||
Config sources | |||
View config sources | |||
Edit config sources | |||
Releases | |||
Restore component version | |||
Restart component | |||
Scale component | |||
Cancel release | |||
Promote release steps | |||
Retry release | |||
Permissions scope
Your CircleCI roles and associated permissions are not derived from the permissions set in your VCS (version control system). Your CircleCI role permissions do not allow you to bypass permissions in the VCS.
For example, you may be an Organization Administrator within CircleCI, which gives you access to view and modify organization and project settings within your CircleCI organization. However, you will not be able to edit a project’s .circleci/config.yml hosted in your VCS without your user also having the write permissions within that VCS’s repository project. Your CircleCI user’s VCS permissions are determined by its associated VCS identity.
Role hierarchy across groups and individuals
Users can have roles assigned to them both individually and as part of a group. The highest role always applies. For example, if a user has the role of admin assigned for a project, and that user is also part of a group with the role of contributor for the project, the user will still have admin permissions for the project.