Tutorial: How to Manage Roles
Overview
Bytebase uses RBAC (Role-Based Access Control) to manage permissions. A role is a collection of permissions that can be granted to users and user groups.Permission Scope
Permissions in Bytebase apply to two levels of resources:- Workspace-level resources: Settings, instances, environments, and overall workspace management
- Project-level resources: Project settings, databases, issues, and project-specific operations
Role Types
Bytebase provides two types of roles:Built-in Roles
Workspace roles:Workspace Admin- Full administrative controlWorkspace DBA- Database administration across all projectsWorkspace Member- Basic access (automatically assigned to all users)
Project Owner- Full control over project resourcesProject Developer- Create and manage database changes; create Export issues for one-time exportsProject Releaser- Approve and release changesSQL Editor User(formerlyProject Querier) - Query in SQL Editor; export results directly from the EditorProject Viewer- Read-only accessGitOps Service Agent- Automated CI/CD workflows to create and execute database changes via GitOps
Custom Roles
Organizations can create custom roles with specific permission sets tailored to their needs. Custom roles are defined at the workspace level and can be granted at both workspace and project levels.Granting Roles
Roles are granted through IAM policies at two levels:-
Workspace IAM Policy (Workspace > Members page)
- Grant roles that apply across all projects
- Manage workspace-level permissions
-
Project IAM Policy (Project > Members page)
- Grant roles for specific project resources
- Inherits roles granted at the workspace level

Creating Custom Roles
- Navigate to IAM & Admin > Custom Roles
- Click Add role
- Configure permissions for your new role

Granting Roles in IAM Policy
Roles (both built-in and custom) can be assigned to users and groups through the Members page at either workspace or project level:- Navigate to Members page (either in Workspace or specific Project)
- Click Grant Access to add users or groups
- Select the appropriate roles to grant
- Confirm to apply the IAM policy changes

Appendix
Workspace Role Permissions
By default, the first registered user is granted theAdmin role, all following registered users are granted Member role. Admin can update any user’s role later.
Project Role Permissions
Any user can create project. By default, the project creator is granted theProject Owner role. Workspace DBA and Workspace Admin assume the Project Owner role for all projects.
Database Permissions
Bytebase does not define database specific roles. Whether a user can perform certain action to the database is based on the user’s Workspace role and the role of the project owning the database.Sheet Permissions
User can save sheets from SQL Editor. A sheet always belongs to a project. Sheet has three visibility levels:- Private
- Project
- Public
Private Sheet
Project Sheet
Public Sheet
Issue Permissions
*
Project Owner can change issue status when the current active Environment Rollout Policy is set to Require manual rolling out.
