Permissions And Roles

Oriel authorizes with permission strings. Roles are named permission bundles; authorization decisions use resolved permissions, not role names.

Built-In Roles

The built-in role slug set is closed:

Role	Purpose
`owner`	All permissions.
`admin`	Workspace administration without `workspace:delete`.
`editor`	Query, dashboards, alerts, silences, saved queries, services, flags, SLOs, experiments, annotations, and channel read.
`viewer`	Query plus read-only project, dashboard, alert, flag, SLO, and experiment access.

Built-in roles are immutable.

Permission Set

Permission	Project-scopable
`telemetry:query`	Yes
`projects:read`	Yes
`projects:manage`	Yes
`environments:manage`	Yes
`services:manage`	Yes
`queries:manage`	Yes
`dashboards:read`	No
`dashboards:manage`	No
`alerts:read`	Yes
`alerts:manage`	Yes
`silences:manage`	Yes
`channels:read`	No
`channels:manage`	No
`members:read`	No
`members:manage`	No
`roles:read`	No
`roles:manage`	No
`tokens:read`	No
`tokens:manage`	No
`audit:read`	No
`workspace:manage`	No
`workspace:delete`	No
`flags:read`	Yes
`flags:write`	Yes
`flags:manage`	Yes
`annotations:read`	No
`annotations:write`	No
`slos:read`	No
`slos:manage`	No
`experiments:read`	Yes
`experiments:manage`	Yes

Built-In Role Permissions

Role	Permissions
`owner`	Every permission.
`admin`	`telemetry:query`, `projects:read`, `dashboards:read`, `alerts:read`, `dashboards:manage`, `alerts:manage`, `silences:manage`, `queries:manage`, `services:manage`, `channels:read`, `projects:manage`, `environments:manage`, `members:read`, `members:manage`, `roles:read`, `roles:manage`, `tokens:read`, `tokens:manage`, `channels:manage`, `audit:read`, `workspace:manage`, `flags:read`, `flags:write`, `flags:manage`, `annotations:read`, `annotations:write`, `slos:read`, `slos:manage`, `experiments:read`, `experiments:manage`
`editor`	`telemetry:query`, `projects:read`, `dashboards:read`, `alerts:read`, `dashboards:manage`, `alerts:manage`, `silences:manage`, `queries:manage`, `services:manage`, `channels:read`, `flags:read`, `flags:write`, `annotations:read`, `annotations:write`, `slos:read`, `slos:manage`, `experiments:read`, `experiments:manage`
`viewer`	`telemetry:query`, `projects:read`, `dashboards:read`, `alerts:read`, `flags:read`, `annotations:read`, `slos:read`, `experiments:read`

No-Escalation Rule

A grantor may only grant or revoke permissions that are already included in the grantor’s effective permissions at the target scope. Attempts to widen a member or token beyond the caller’s authority fail with ORL-3006.