Granular permission matrix
Orinel uses workspace-level roles (owner, admin, editor, viewer) and profile roles (analyst, scientist, engineer) for access control. RLS in the database enforces these; the matrix below is the source for documentation and procurement.
Workspace roles
Each member has one role per workspace. Permissions are cumulative (owner has all).
| Capability | owner | admin | editor | viewer |
|---|---|---|---|---|
| View workspace & projects | ✓ | ✓ | ✓ | ✓ |
| Create project | ✓ | ✓ | ✓ | — |
| Edit / delete project | ✓ | ✓ | ✓ | — |
| Manage members (invite, remove, change role) | ✓ | ✓ | — | — |
| Delete workspace | ✓ | — | — | — |
Profile roles (dashboard access)
Each user has a profile role that determines which dashboard they see (Analyst, Scientist, Engineer). Workspace permissions apply on top.
| Role | Dashboard path |
|---|---|
| Data Analyst | /dashboard/analyst |
| Data Scientist | /dashboard/scientist |
| Data Engineer | /dashboard/engineer |
| Viewer | /dashboard/dashboards |
| Admin | /dashboard/admin |
Compliance & audit
- Audit log export: Requires dedicated compliance key (header
X-Compliance-Key). See Audit log export. - Per-user audit: Authenticated users can read their own activity via
GET /api/observability/audit.