Access Roles
Last updated on May 21, 2026
Every member holds exactly one role, and that role applies across the whole organization. When you need finer control, per-team scoping layers on top through Teams, so you can pair a broad role with a narrow visibility scope.
The five roles
TofuPilot ships with five roles that cover the full range from full administrative control down to operator-only kiosk access. The table below summarizes what each role can do.
| Role | Read | Write data | Manage members | Manage org | Dashboard access |
|---|---|---|---|---|---|
| Owner | All | Yes | Yes | Yes (billing, SSO, delete) | Yes |
| Admin | All | Yes | Yes | No | Yes |
| Developer | All | Yes | No | No | Yes |
| Viewer | All or team-scoped | No | No | No | Yes (read-only) |
| Operator | Own teams' stations only | Through station API | No | No | No (kiosk only) |
Owner
You get one Owner per organization, and that account owns everything. Owners can do everything an Admin can, and on top of that they handle billing, SSO and SCIM configuration, ownership transfer, and organization deletion.
Admin
Admins manage members and structure, so they handle the day-to-day people work. They invite and remove members, change roles, create and delete teams, and manage test data such as Procedures, Stations, Deployments, and Runs.
Admins cannot update organization settings, manage billing, or configure SSO and SCIM, because those actions are reserved for the Owner.
Developer
Developers create and update procedures, stations, deployments, Parts, Units, Batches, and other test data. They see every team's data, so they can work across production lines without restriction.
Developers cannot manage members, teams, billing, or SSO.
Viewer
Viewers are read-only, so they browse runs, units, parts, and analytics without being able to create or modify anything.
What a Viewer sees depends on their team assignment:
- A Viewer with no team assignments sees every team's data.
- A Viewer with team assignments sees only those teams' stations and runs.
Operator
Operators land on /operator on sign-in and never see the dashboard. They see their own profile, the stations they belong to (always team-scoped), and basic org context. They do not see a member list, peer profiles, runs, procedures, API activity, or billing.
Test data is produced through the Station API key, not the operator's account. When an operator presses Run in the Operator UI, the run is auto-attributed as operated_by, because the dashboard forwards the operator's email to the CLI and the CLI stamps it on runs.create. CLI-only runs and kiosk-mode mounts with no logged-in user stay unattributed.
Roles vs teams
Teams sit on an orthogonal layer to roles, so the two combine when you decide what someone sees.
- Owners, Admins, and Developers see every team's data.
- Viewers see all data without team assignments, and become team-scoped once you assign them.
- Operators are always team-scoped.
Changing a role
Admins and Owners can change a role at any time, and the change applies immediately. For the full walkthrough, see Managing members.
How is this guide?
Managing Members
Learn how to invite users, change roles, ban access, impersonate, and remove members from your TofuPilot organization without losing their data.
Teams
Learn how to group TofuPilot stations and members into teams so you can scope visibility for suppliers, departments, or production lines.