Permissions allow for the management of read/write access to various features of Permissions can be managed for the members of your organization through the members section of organization settings.

Permissions are a hierarchy of keywords separated by periods (.) using star (*) as a wildcard.


settings.billing.tier equates to the organziation billing tier setting permission.

settings.* equates to all organziation settings permissions.

* equates to all permissions.


Access to view the organization dashboard (recent commits, custom domains, new installations, organization settings) is managed thorugh the dashboard keyword.


Access to install on new repositories is managed through the install keyword.


Access to perform actions on repositories is managed the the repo keyword.

Access to perform actions on a specific repository is managed through the repo.<reposirory name> keyword. Repository names are lower cased and have both spaces and periods replaced with dashes(-). For example, a repository helloWorld/my first.program is normalized to helloWorld/my-first-program

Staging Terminal

Access to the debugging terminal of a staging server is managed through the repo.<reposirory name>.stagingterm keyword.

Repository Controls

Repository controls are managed through the controls keyword with the following permissions:

  • repo.<reposirory name>.controls.retry the ability to retry a run
  • repo.<reposirory name>.controls.cancel the ability to cancel a run
  • repo.<reposirory name>.controls.button the ability to click buttons defined in Layerfiles


Access to read and write secrets is managed though the secrets keyword.


Access to read and write organization settings are managed through the settings keyword.


Organization membership management has the following permissions:

  • settings.members.roles alter member roles
  • settings.members.users alter organization’s users
  • settings.members.users.invite invite users to organization


Organization billing settings have the following permissions:

  • settings.billing.tier manage organization billing tier
  • settings.billing.payment manage organization payment method


An organization has two role groups by default, owners and members. Owners have read/write access to all parts of the organization, members have a subset. Members start with the default permissions of:

  • dashboard
  • repo.*.controls.cancel
  • repo.*.controls.retry
  • repo.*.controls.stagingterm

Permissions can be granted to role groups in the members section of organization settings.

To add additional role groups contact support at [email protected].