Roles & Permissions

Control access with organization and team roles, assign built-in or custom roles, and auto-assign them through SSO.

6 min readUpdated Jul 9, 2026

Enterprise feature

Contact sales@fossa.com for details.

Overview

Role-Based Access Control (RBAC) governs which FOSSA features a user can reach, which projects they can see, and what they're allowed to do with them. Access is granted two ways: an organization role that applies across your whole org, and team roles that scope access to specific projects and release groups.

How RBAC works

There are two scopes, and a user's effective access is the combination of both:

  • Organization role: applies to every project in the organization and to org-level settings such as billing, policies, and user management. A user has at most one organization role.
  • Team roles: scope access to the projects and release groups owned by a team. A user is assigned a role in each team they belong to, and can be on multiple teams.

A user can have no organization role at all. In that case they get no org-level access, only the projects granted through their team memberships.

Organization roles

Assign organization roles on the Settings → Organization → Users page. Admin, Editor, and Viewer are built in and can't be edited or deleted. None isn't a role, it's the option you pick to leave a user with no organization role at all.

Roles settings page listing the built-in Admin, Editor, Team Admin, Team Editor, Team Viewer, and Viewer roles with an Add Role button
RoleAccess
AdminFull access to every project; import projects; create, edit, and delete policies; manage teams, users, and roles; access and change billing; correct licensing information and metadata for dependencies.
EditorFull access to every project; import projects; view and edit policies; change project settings; rebuild and rescan projects; correct licensing information and metadata for dependencies.
ViewerRead-only access to all projects, issues, and policies. Cannot import projects, create Jira tickets, modify packages, or resolve issues.
NoneNo organization-level access. The user can only reach projects granted through their team memberships.

Note

New users are assigned your organization's default role, configured under Default Role for New Users on the Organization settings page. Set it to match how much access new members should get out of the box.

Team roles

Manage teams on the Settings → Organization → Teams page. A user with a team role must belong to a team before they can see any projects. The three team roles are built in and can't be edited or deleted.

RoleAccess (within their teams only)
Team AdminImport and delete projects; change project settings and metadata; rebuild and rescan projects; manage the team's users; manage team options.
Team EditorImport projects; change project settings; rebuild and rescan projects.
Team ViewerRead-only access to the team's projects.

Team roles only grant access to that team's projects, not to org-wide features like policies.

Warning

Team Admins and Team Editors have full access to project metadata, but editing a dependency changes it across the entire organization. That requires an organization role (Admin or Editor), a team role alone isn't enough.

Assigning an organization role

  1. 1

    Open the Users page

    Go to Settings → Organization → Users.

  2. 2

    Set the user's role

    Find the user and assign Admin, Editor, Viewer, or None. None leaves the user with no organization role, limiting them to team-based access.

Creating teams and assigning team roles

Teams gate which projects a user can see. Create a team, add members, and give each member a team role.

  1. 1

    Open the Teams page

    Go to Settings → Organization → Teams.

  2. 2

    Create or open a team

    Create a new team, or open an existing one to manage its members and projects.

  3. 3

    Add users and assign team roles

    Add users to the team and give each one a team role, Team Admin, Team Editor, or Team Viewer.

  4. 4

    Add projects

    Add the projects and release groups the team should have access to.

Creating a custom role

Beyond the built-in roles, you can create custom roles with your own set of permissions at either the organization or team scope.

  1. 1

    Choose the scope

    When you create a role, choose its scope, Organization or Team. The scope determines which permissions are available; some org-level capabilities, such as managing users, can only be granted by an organization-scoped role.

  2. 2

    Select permissions

    Select every permission that users with this role should have.

  3. 3

    Save and assign

    Save the role, then assign it to users just like a built-in role.

Warning

A role's scope can't be changed after it's created. To move a role to a different scope, create a new one.

Auto-assigning roles through SSO

When integrated with Single Sign-On, FOSSA can assign organization roles and team memberships from SAML attributes every time a user logs in.

role attribute; sets the user's organization role. Accepted values are case-insensitive:

ValueRole
adminAdmin
editorEditor
viewerViewer

Any other value is matched against an organization-scoped custom role of that name.

teams attribute, a team name or list of team names. FOSSA assigns the user to exactly those teams; any team that doesn't already exist is created automatically.

Note

Configuring these attributes is part of your SAML setup. See Single Sign-On, or contact support@fossa.com for help.

FAQ

Can I edit or delete the built-in roles? No. The three organization roles and three team roles are built in and can't be changed or removed. Create a custom role instead.

What happens if a user has no organization role? They get no organization-level access. They can still see and work on projects through any teams they belong to, according to their team role.

Can a team role let someone edit a dependency? No. Editing a dependency changes it across the whole organization, so it requires an organization role (Admin or Editor), even for Team Admins and Team Editors.

Can I change a custom role's scope after creating it? No. Scope is fixed at creation. Create a new role with the scope you need.

Why don't email invites appear for my organization? If you use SSO, email invites are disabled and users join through the SSO sign-on flow instead. See Inviting Users.

What's next

© 2026 FOSSA, Inc.support@fossa.com