DOCUMENTATION
Access control & roles
How access control works
SlateBeaver uses role-based access control (RBAC) at two levels: organisation-level roles and credential-level permissions.
Key design principle: Being a member of an organisation does not automatically grant access to any credential. Credential access must be explicitly granted. This is by design.
Organisation-level roles
| Role | Description |
|---|---|
| Owner | Full control. Manages billing, SSO, and can delete the organisation. |
| Admin | Can manage all members, credentials, and projects. |
| Security Lead | Can view and export the full audit log. Cannot modify credentials. |
| Developer | Can view and interact with credentials they have been explicitly granted access to. |
| Read-only | Can view credential names but not values. Can view projects. |
Credential-level permissions
In addition to organisation roles, each credential can have per-member or per-team access overrides:
Can read (masked)Sees the credential exists, but cannot reveal the value.
Can revealCan see the plaintext value - every reveal is logged automatically.
Can editCan update the credential value.
Can grantCan extend access to other team members.
Just-in-time access
Temporary access can be granted with an automatic expiry. No manual revocation is required.
- Available durations: 1 hour, 4 hours, 24 hours, 7 days, or custom
- Access is automatically revoked at expiry without any action needed
- The full grant/expiry lifecycle is recorded in the audit log
Break-glass access
For emergencies where the normal approval flow is not available:
- An authorised member triggers break-glass access
- A record is immediately written to the audit log
- All relevant admins are notified via configured channels
- Access expires automatically