Users & RBAC
Role-based access control, user invites, two-factor authentication, and how roles interact with label-based permissions
Users & Role-Based Access Control
HeadlessOps uses a five-level role system per workspace. Every workspace member has exactly one role, and permissions are cumulative from VIEWER upward.
New in IAM v1: Label grants now control which resources a member can see. Roles control what a member can do; labels control which resources they can do it on. See Labels & Permissions for the full guide.
Role Reference
| Role | Description | Key Permissions |
|---|---|---|
| OWNER | Workspace creator / super admin | All permissions including ownership transfer and workspace deletion |
| ADMIN | Workspace administrator | All DEVELOPER permissions + invite users, manage API keys, view billing, manage label grants |
| DEVELOPER | Integration developer | Create/update/delete integrations, manage credentials, trigger runs (scoped to their label grants) |
| MEMBER | General member | Same as DEVELOPER in most contexts (alias) |
| VIEWER | Read-only access | View integrations, runs, credentials (no secrets), data stores (scoped to their label grants) |
Permission Matrix
| Action | VIEWER | MEMBER | DEVELOPER | ADMIN | OWNER |
|---|---|---|---|---|---|
| View integrations & runs | ✅ | ✅ | ✅ | ✅ | ✅ |
| View credentials (no secrets) | ✅ | ✅ | ✅ | ✅ | ✅ |
| Trigger manual runs | ❌ | ✅ | ✅ | ✅ | ✅ |
| Create / update integrations | ❌ | ✅ | ✅ | ✅ | ✅ |
| Manage credentials | ❌ | ✅ | ✅ | ✅ | ✅ |
| Manage data stores | ❌ | ✅ | ✅ | ✅ | ✅ |
| Invite users | ❌ | ❌ | ❌ | ✅ | ✅ |
| Manage API keys | ❌ | ❌ | ❌ | ✅ | ✅ |
| Manage label grants | ❌ | ❌ | ❌ | ✅ | ✅ |
| Delete workspace | ❌ | ❌ | ❌ | ❌ | ✅ |
Note on resource visibility: For non-admin members, the rows above only apply to resources the member can already see. A DEVELOPER cannot edit an integration they cannot see due to label restrictions. See Labels & Permissions.
Inviting Users
Required role: ADMIN or OWNER
Via the Web UI
- Go to Workspace Settings → Members
- Click Invite Member
- Enter the email address and select a role
- Click Send Invite
The invited user receives an email with a link to accept. Pending invites are visible in the Members list and expire after 7 days.
Via the API
curl -X POST https://app.headlessops.ai/api/workspaces/ws_abc123/members/invite \
-H "Cookie: session=YOUR_SESSION" \
-H "Content-Type: application/json" \
-d '{
"email": "dev@example.com",
"role": "DEVELOPER"
}'Response:
{
"inviteId": "inv_abc123",
"inviteUrl": "https://app.headlessops.ai/invite/inv_abc123"
}Share the inviteUrl with the user. They log in (or create an account) and are immediately added to the workspace.
Listing Members
curl https://app.headlessops.ai/api/workspaces/ws_abc123/members \
-H "Cookie: session=YOUR_SESSION"Returns both current members and pending invites:
{
"members": [
{
"id": "mem_1",
"role": "OWNER",
"user": { "id": "u_1", "name": "Alice", "email": "alice@example.com" }
},
{
"id": "mem_2",
"role": "DEVELOPER",
"user": { "id": "u_2", "name": "Bob", "email": "bob@example.com" }
}
],
"invites": [
{
"id": "inv_1",
"email": "carol@example.com",
"role": "VIEWER",
"expiresAt": "2026-06-11T00:00:00Z"
}
]
}User Invite Flow
ADMIN/OWNER Invited User
│ │
│── POST /members/invite ──▶ │
│◀── { inviteId, inviteUrl } ── │
│ │
│ [share inviteUrl] │
│ ────────────▶│
│ [open link] │
│ [log in / sign up]
│ [accept invite]
│ │
│◀─────────────── added to workspace ──Two-Factor Authentication (2FA)
HeadlessOps supports TOTP-based 2FA compatible with Google Authenticator, Authy, 1Password, and similar apps.
Enabling 2FA (Per User)
- Go to Account Settings → Security
- Click Enable Two-Factor Authentication
- Scan the QR code with your authenticator app
- Enter the 6-digit code to confirm
- Save your backup codes in a secure location
Requiring 2FA Workspace-Wide
Workspace owners and admins can enforce 2FA for all members:
- Go to Workspace Settings → Security
- Toggle Require 2FA for all members
- Members without 2FA enabled will be prompted to set it up on next login
Note: Members with 2FA disabled when enforcement is turned on will not lose access immediately — they are redirected to the 2FA setup page on their next login.
Recovery
If a member loses access to their authenticator app:
- The member contacts the workspace ADMIN or OWNER
- The admin can temporarily disable the 2FA requirement at the workspace level
- The member logs in and reconfigures 2FA using their backup codes or a new authenticator
- Re-enable workspace-wide 2FA enforcement after recovery
Removing Members
# Remove a member (ADMIN or OWNER required)
curl -X DELETE https://app.headlessops.ai/api/workspaces/ws_abc123/members/mem_2 \
-H "Cookie: session=YOUR_SESSION"Removing a member immediately revokes their access. Any API keys they created remain valid until explicitly revoked.
Role Assignment Best Practices
| Team | Recommended Role |
|---|---|
| Engineering leads / DevOps | ADMIN |
| Backend developers | DEVELOPER |
| Product managers / stakeholders | VIEWER |
| External clients (credential setup only) | Use credential invite links instead |
| AI agent tokens | Use API keys (not user accounts) |
Labels & Fine-Grained Access
Roles alone are a coarse-grained control. For finer control — such as limiting a developer to only their team's resources, or giving a client access only to their own integrations — use label grants.
Label grants are additive to roles. A DEVELOPER with no label grants sees nothing (all resources are admin-only until labeled). A DEVELOPER with a read grant on client-acme sees only integrations, credentials, and knowledge docs tagged client-acme.
See Labels & Permissions for the complete guide.
Billing & Subscriptions
Manage your HeadlessOps subscription, change plans, purchase extras, and handle billing through the web UI
Labels & Permissions (IAM v1)
Control who can see and use your integrations, credentials, and knowledge docs using labels. A simple, label-based permission system built for teams.