Access Control
Role-based access control for organizations, teams, and environments
Hanzo Platform provides enterprise-grade role-based access control (RBAC) that governs who can do what across your organizations, clusters, and environments.
How It Works
Access control is enforced at three layers:
| Layer | Controls | Example |
|---|---|---|
| Organization | Membership and roles | Who belongs to the org, with what role |
| Cluster | Per-cluster permissions | Who can deploy to production vs. staging |
| Environment | Protection rules | Whether production requires approval |
Role Hierarchy
Every organization member is assigned exactly one role:
Owner > Admin > Developer > Billing > ViewerMultiple users can hold the Owner role simultaneously, similar to GitHub's model. See Roles for the full permission matrix.
Key Concepts
Organizations
Organizations are the top-level grouping. Each org has its own members, clusters, projects, and billing. Users can belong to multiple organizations and switch between them.
Cluster Permissions
Within an organization, access to individual clusters is controlled separately. A Developer might have deploy access to the staging cluster but only view access to production. See Cluster Permissions.
Environment Protection
Critical environments (like production) can be protected with approval workflows. Three protection levels are available: none, restricted, and locked. See Environment Protection.
Invitations
New members are added via email invitations. Existing platform users are auto-accepted. See Invitations.
Audit Trail
All access control changes are logged with full audit history:
- Role assignments and changes
- Cluster permission grants and revocations
- Environment protection rule modifications
- Invitation sends and acceptances
Access the audit log from Settings > Audit Log in the dashboard.
How is this guide?
Last updated on