Skip to main content

User management

Organization roles#

Every user that is part of an organization has an explicit role. Note that users are unable to modify their own role. If you need to lower your access, have another organization user perform this action, or, leave the organization and request to be re-added with the desired role.


  • Users that require unrestricted access to the organization, its settings and all resources owned by the organization.
  • Can delete organization. All resources such as repositories, templates and plugins must be deleted before the organization can be deleted.
  • Can add and delete resources such as repositories


  • Can modify organization settings, such as base resource roles.
  • Can manage user roles, except owners.
  • Can add resources.


  • Can view the organization and its members.
  • Inherits the base resource roles on existing organization resources (the default is Write).


  • Can view the organization and its members.
  • Inherits Write roles over existing organization resources, regardless of the organization's base resource roles.

This role is useful in CI pipelines - you can set the organization base roles to Read and configure a Machine user to push to a BSR repository on merge, for example.

Base resource roles#

Every organization has a set of base resource roles that apply to all members of the organization. The default roles:


Organization owners can modify the base resource roles depending on the requirements of the organization. These roles are configurable on the organization settings page.

Resource roles#

Resources such as repositories, templates and plugins are owned by either an individual user or an organization. In the case of user-owned resources, the user is granted the Owner role, and for organization-owned resources, user with Member role in the organization will inherit the base resource roles as defined by the organization, while user with Owner or Admin role in the organization will inherit the respective resource roles.

In some situations, however, you'll need to give additional permissions to individual users over a user- or organization-owned resource.

The most common use-cases are:

  • Outside collaborators. This is useful when users outside your organization require access to specific resource(s) within the organization, but you do not want them to be a member of the organization.
  • Elevated permissions for organization members. This is useful when the organization base resource roles are set to Read and specific user(s) require the Write or Admin role for specific resource(s).

When computing the role on a resource, the highest role takes precedence. For example, an organization has Write as the base repository role, and the user was granted the Admin role on a specific repository. The final computed user role on the repository is Admin.


  • Unrestricted access to the resource.
  • Can delete the resource.


  • Can update the resource settings and deprecation notices.
  • Can manage resource roles, except owners.


  • Can perform write operations on resources, such as:
    • Pushing to a repository
    • Creating tags
    • Updating template versions and plugins

Limited Write#

  • Can write drafts to a repository.

Only applies to repositories.


  • Can view the resource.