Users, roles, and permissions

DevX uses role-based access control (RBAC). Every user has a role that defines which portals they can access and what they can do inside each one.

Configure in: Portal Config → Users / Roles & Permissions

Built-in roles

Role	Description
admin	Full access to all portals and Portal Config
developer	Access to Task, DRM, DevX, Runbook, and Platform portals (read + write)
viewer	Read-only access to portals they are granted access to

Built-in roles cannot be deleted but their descriptions can be edited.

Custom roles

Go to Portal Config → Roles & Permissions → New Role.

System permissions

Permission	Description
`portal_access`	Can log in. Disable to create reference-only roles
`manage_users`	Can create, edit, and delete users
`manage_config`	Can access Portal Config

Portal access flags

Control which portals this role can enter:

Flag	Portal
`access_tasks`	Task Management
`access_drm`	DRM Portal
`access_idp`	DevX Portal
`access_runbooks`	Runbook Portal
`access_cloud`	Cloud & FinOps
`access_security`	Security & Compliance
`access_platform`	Platform Engineering

Write access flags

Control whether the role can create/edit/delete within each portal:

Flag	Portal
`write_tasks`	Task Management
`write_drm`	DRM Portal
`write_idp`	DevX Portal
`write_runbooks`	Runbook Portal
`write_cloud`	Cloud & FinOps
`write_security`	Security & Compliance
`write_platform`	Platform Engineering

Resource-level permissions

Fine-grained view / create / edit / delete control per resource:

Resource	Description
`tasks`	Task records
`drm`	Incidents and DRM catalog
`service_catalog`	Service Catalog entries (DevX)
`runbooks`	Runbook definitions and executions
`cloud`	Cloud resources and FinOps data
`security`	Vulnerabilities, secrets, compliance
`platform`	Platform Engineering resources

Users

Creating a user

Go to Portal Config → Users → Add User. Fields:

Field	Description
Username	Login username (unique)
Email	User email address
Password	Initial password
Role	Assign a built-in or custom role
Team	Assign to a DRM/catalog team (optional)

The org is automatically set from the logged-in admin's organization.

Org owner

The user who completes the first-time setup wizard is marked as Org Owner. Org owners are displayed with a badge in the Users list.

Password reset

Admins can generate a password reset link from the user row (⋯ → Send reset link). The link is emailed to the user and expires after 24 hours.

SSO

Enterprise builds support SSO provider configuration. See SSO.

API reference

Method	Path	Description
`GET`	`/api/users`	List users
`POST`	`/api/users`	Create user
`PUT`	`/api/users/:id`	Update user
`DELETE`	`/api/users/:id`	Delete user
`PUT`	`/api/users/:id/team`	Assign team
`POST`	`/api/auth/reset-password`	Request password reset
`GET`	`/api/admin/roles`	List roles
`POST`	`/api/admin/roles`	Create role
`PUT`	`/api/admin/roles/:id`	Update role
`DELETE`	`/api/admin/roles/:id`	Delete role

Built-in roles​

Custom roles​

System permissions​

Portal access flags​

Write access flags​

Resource-level permissions​

Users​

Creating a user​

Org owner​

Password reset​

SSO​

API reference​