Roles & Permissions

Each org member holds one role. Owner, admin, member, and viewer sit on a strict hierarchy (owner > admin > member > viewer). Billing and executive are orthogonal personas — billing sees only invoices and cost rollups; executive is read-only across data, cost, and billing.

Role Reference

ownerFull control. Can rename or delete the org, manage billing, and reassign every other role.

adminDay-to-day operator. Manages members, API keys, tag rules, budgets, and ROI settings — but not org-level metadata or billing.

memberDefault seat. Reads every usage / analytics surface but cannot change settings.

viewerStrict read-only. Same surfaces as member without any write paths — good for auditors or onboarding new hires.

billingFinance-only seat. Sees billing email and cost rollups; explicitly cannot see per-request data or analytics.

executiveRead-only leadership view. Full visibility across data, cost, and billing — no write access anywhere.

Capability Matrix

Capability	owner	admin	member	viewer	billing	executive
Manage organization Rename org, set billing email, delete org.	●	○	○	○	○	○
Manage members & invites Invite, change roles, remove members.	●	●	○	○	○	○
Manage API keys Issue and disable proxy bearer tokens.	●	●	○	○	○	○
Manage tag rules Create and delete server-side tagging rules.	●	●	○	○	○	○
Manage budgets Set and remove spend budgets.	●	●	○	○	○	○
Manage ROI settings Configure value-per-token calculations.	●	●	○	○	○	○
View usage & analytics Access overview, usage breakdowns, tag analytics.	●	●	●	●	○	●
View billing See invoices and billing email (Stripe wiring TBD).	●	○	○	○	●	●
View cost & ROI See cost dashboards, budgets, ROI rollups.	●	●	●	●	●	●

Server-side enforcement lives in apps/api-backend/internal/auth/rbac.go — this matrix is a faithful mirror; the API will 403 if the UI ever drifts.