Enterprise
Roles and Permissions
Roles define who can manage organizations, projects, keys, usage visibility, billing, and security settings.
Roles define who can manage organizations, projects, keys, usage visibility, billing, and security settings.
Current role model
| Role | Typical owner | Main responsibility |
|---|---|---|
| Admin | Platform or IT lead | Organization-wide control |
| Project Owner | Team or product lead | Project-level operations |
| Member | Developer or builder | Day-to-day API usage |
| Finance | Billing owner | Billing and invoices |
Practical access split
| Area | Admin | Project Owner | Member | Finance |
|---|---|---|---|---|
| organization settings | full | none | none | none |
| member management | full | project-scoped | none | none |
| key management | full | project-scoped | own resources only | none |
| usage visibility | full | project-scoped | own or assigned context | none |
| billing and invoices | full | none | none | finance workflows |
Project scoping matters
Project Owner and Member permissions are limited by project context:
- Project Owner manages people, keys, and usage inside the current project
- Member works only with their own or assigned project resources
Assignment guidance
| Situation | Recommended role |
|---|---|
| User must manage organization settings, SSO, members, and billing ownership | Admin |
| User owns one product team or environment | Project Owner for that project |
| User only needs to call APIs or view assigned resources | Member |
| User handles invoices, renewals, or finance review | Finance |
Separation of duties
For production organizations, avoid putting every responsibility on one shared admin account.
| Duty | Recommended owner |
|---|---|
| Key creation and rotation | Admin or Project Owner |
| Day-to-day API usage | Member or service account key owned by a project |
| Billing review | Finance owner, with Admin visibility if needed |
| SSO and security policy | Admin plus security owner |
| Usage investigation | Admin for organization-wide view, Project Owner for project scope |
Access review checklist
Review role assignments regularly and after team changes:
- Remove users who no longer need access.
- Downgrade Admins who only need project-level control.
- Confirm production API keys still have a named owner.
- Confirm finance users can reach invoice and renewal workflows.
- Check that each project has at least one accountable owner.
Fine-grained permissions
The table above is an outcome-level map. Enterprise accounts may use additional fine-grained controls depending on rollout stage and account configuration.