Roles
Admin
Full platform access including multi-tenant management. Intended for platform administrators who manage multiple organizations.
Owner
Full access within their own tenant — incidents, team management, billing, and configuration. Typical role for engineering leads and team managers.
Operator
Can triage incidents, run investigations, and approve or reject remediations. Cannot manage team members, billing, or tenant configuration. Typical role for on-call engineers.
Viewer
Read-only access to incidents, investigation results, and audit trail. Cannot create incidents or take any action. Typical role for stakeholders and executives.
Permission matrix
| Action | Admin | Owner | Operator | Viewer |
|---|---|---|---|---|
| View incidents and investigations | Yes | Yes | Yes | Yes |
| View audit trail | Yes | Yes | Yes | Yes |
| Create incidents manually | Yes | Yes | Yes | No |
| Triage and investigate incidents | Yes | Yes | Yes | No |
| Approve or reject remediations | Yes | Yes | Yes | No |
| Manage team members and roles | Yes | Yes | No | No |
| Manage API keys | Yes | Yes | No | No |
| Configure integrations | Yes | Yes | No | No |
| Manage investigation policy | Yes | Yes | No | No |
| Manage billing and subscription | Yes | Yes | No | No |
| Create and manage tenants | Yes | No | No | No |
| Manage all tenants (platform-wide) | Yes | No | No | No |
Assigning roles
Roles are assigned per tenant. A user can have different roles in different tenants (for example, Owner in their primary tenant and Viewer in a partner tenant). To assign or change a role:- Go to Dashboard > Team.
- Find the team member and click Edit.
- Select the new role from the dropdown.
- Click Save.
- Go to Dashboard > Team.
- Click Invite member.
- Enter their email and select a role.
- Click Send invite.
Tenant isolation
Every request in CauseFlow is scoped to thetenant_id claim in the user’s JWT token. This is enforced at the data access layer — not just the application layer.
DynamoDB partition keys include tenant_id as a component. A query for tenant A’s incidents cannot physically return tenant B’s data, even in the event of a logic error. There is no shared-data model where misconfiguration could expose cross-tenant records.
Consequences:
- Users cannot access data outside their tenant, regardless of their role
- Support engineers cannot view customer data without an explicit tenant-scoped token
- Platform admins (admin role) create and manage tenants but access tenant data only through tenant-scoped sessions
RBAC enforcement in the API
RBAC checks happen server-side on every API request. The client cannot escalate privileges by modifying the request. If a request requires a permission the caller’s roles do not have, the API returns403 Forbidden.
Role checks are not cached — they are evaluated on every request against the current state of the user’s roles. If a user’s role is changed, the new permissions take effect on their next API request.
Changing a user’s role does not invalidate their existing JWT token immediately. The token continues to carry the previous roles until it expires or is refreshed. For immediate role changes (for example, offboarding), revoke the user’s session from Dashboard > Team > Revoke access.