Roles & permissions
Built-in roles, the permission matrix, and Enterprise custom roles in Manufact Cloud.
Access in Manufact Cloud is controlled per organization by role-based access control (RBAC). Every member has a role, and each role grants a set of permissions expressed as resource + action pairs (for example, server: create or deployment: delete).
Built-in roles
Three built-in roles are available on every plan and cover most teams. See Team for how to invite members and assign roles.
| Role | Summary |
|---|---|
| Owner | Everything an admin can do, plus manage billing and delete the organization. Can invite/promote any role, including other owners. |
| Admin | Full operational access plus billing. Cannot delete the organization or promote to owner. |
| Member | Full operational access to build and deploy. Cannot change billing, manage custom roles, or delete the organization. |
The built-in member role is not read-only — members can create, update, and delete servers, deployments, agents, API keys, domains, and GitHub integrations. To give someone narrower access, use an Enterprise custom role.
Permission matrix
Roles are built from these resources and actions. The Roles & permissions panel on the Team page shows the same matrix and is the source of truth for what a custom role can be granted.
| Resource | Actions | Member | Admin | Owner |
|---|---|---|---|---|
| Organization | view, update, delete | view, update | view, update | view, update, delete |
| Members | create, update, delete | yes | yes | yes |
| Invitations | create, cancel | yes | yes | yes |
| Teams | create, update, delete | yes | yes | yes |
| Roles & permissions | create, view, update, delete | view | full | full |
| Agents | create, view, update, delete | full | full | full |
| Servers | create, view, update, delete | full | full | full |
| Server pools | create, view, update, delete | full | full | full |
| Deployments | create, view, update, delete | full | full | full |
| Domains | create, view, update, delete | full | full | full |
| Chats | create, view | full | full | full |
| GitHub | create, view, update, delete | full | full | full |
| API keys | create, view, update, delete | full | full | full |
| Server evals | run | yes | yes | yes |
The only differences between built-in roles are in the Administration group: members can only view the Roles & permissions catalog, and only owners can delete the organization. All three roles share the same operational access.
Programmatic access
The live catalog is served from GET /api/v1/permissions/catalog (public,
cached) and powers the dashboard matrix. Use it if you build tooling around
roles so your labels stay in sync with the backend.
Custom roles (Enterprise)
Enterprise feature
Custom roles are available on the Enterprise plan. Contact us to enable RBAC for your organization.
On Enterprise, owners and admins can define custom roles from the Roles & permissions panel with a fine-grained permission matrix — for example, a deployer role that can create and update servers and deployments but cannot manage billing, members, or delete anything.
Custom roles are scoped to the organization that creates them and are assigned to members the same way as built-in roles.
What happens off Enterprise
If an organization is not on Enterprise (or downgrades from it):
- New custom roles cannot be created, and existing custom roles cannot be edited or deleted.
- Members cannot be assigned to a custom role.
- Members already assigned to a custom role keep their existing access until an admin reassigns them. To fully remove custom-role access, move those members to a built-in role.
How permissions are enforced
Permissions are checked on the server for every API request — the dashboard also hides actions you can't perform, but the backend is the source of truth. Access is always scoped to the organization the resource belongs to, so members of one organization can never see or modify another organization's servers, deployments, or data.