Roles & Permissions
Control what members can do in your organization.
Manufacturing test data often contains sensitive information about product quality, failure rates, and production processes, yet collaborating on it across teams drives faster debugging and higher yields.
TofuPilot lets you assign roles, link stations to procedures, and group users into teams, helping you granularly manage access to data across internal teams and external partners securely.
Concepts
User Roles
Owner
The Owner role is the highest level of access. Each organization has exactly one owner who controls billing and can delete the organization. Owners have all Admin permissions plus exclusive access to dangerous operations.
Admin
The Admin role is designed for organization managers who handle users and teams. Admins can manage members, teams, and invitations, but cannot update organization settings, manage billing, or configure SSO and SCIM.
Developer
The Developer role is designed for test engineers and developers. Developers can create and update stations, procedures, deployments, and any data type related to business logic. They can see all data across teams but cannot manage users or billing.
Viewer
The Viewer role provides read-only access to test data. This role is useful for production operators needing web UI access, internal stakeholders, or external suppliers who need visibility without write access.
Stations
Stations allow test computers to authenticate via API keys and push test data automatically. Each station is linked to specific procedures, ensuring it can only create runs for those procedures. Stations can be assigned to teams to control which users can see their data.
Teams
Teams segment data visibility across internal teams, facilities, or external suppliers. Owners, Admins, and Developers see everything. Viewers see all data when not assigned to teams, or only their teams' data when assigned.
Actions
Change Role
Go to Settings > Members.
Click the menu next to the member.
Select Change Role and choose the new role.
Another Admin or Owner must change your role.
Impersonate
Owners and Admins can impersonate other users to troubleshoot issues or verify permissions.
Go to Settings > Members.
Click the menu next to the member.
Select Impersonate.
An amber banner appears at the top showing who you're impersonating. Click Stop Impersonating to return to your account. Sessions expire after 1 hour.
Permissions
Organization
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Update | ✓ | ||||
| Delete | ✓ | ||||
| View | ✓ | ✓ | ✓ | ✓ | ✓ |
An organization is your workspace containing all test data and settings. Any user can create organizations and automatically becomes Owner. Self-hosted deployments support one organization only, where the first user creates it and others must be invited.
Members
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | |||
| Update | ✓ | ✓ | |||
| Ban | ✓ | ✓ | |||
| View | ✓ | ✓ | ✓ | ✓ ǀ team | ✓ ǀ team |
A member represents a user's role within an organization. Owners and Admins can manage all members. Developers can view the full member list. Viewers and Stations without teams see all members, with teams see only members within their teams.
Teams
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | |||
| Update | ✓ | ✓ | |||
| Delete | ✓ | ✓ | |||
| View | ✓ | ✓ | ✓ | ✓ | ✓ ǀ team |
Teams are groups that control data visibility. Owners, Admins, and Developers can manage or view all teams. Viewers can see all teams. Stations without teams see all teams, with teams see only their assigned teams.
Users
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Update | ✓ | ✓ | own | own | |
| Delete | ✓ | ✓ | own | own | |
| View | ✓ | ✓ | own | own |
A user is your account containing email, name, and profile information. All users can manage their own profile, and Owners and Admins can manage all users. A user differs from a member because one user can have different roles across multiple organizations. In self-hosted deployments, users must be invited and have one organization and one role per user.
User API Keys
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | own | own | own | own | |
| Delete | own | own | own | own | |
| View | own | own | own | own |
User API keys are personal authentication tokens that all users can manage for themselves. Keys expire after 30 days. Stations use separate API keys, see Station API Keys.
Procedures
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ||
| Update | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ ǀ team | linked |
A procedure is a test definition with an identifier and name. Owners, Admins, and Developers have full access and can see all procedures. Viewers without teams see all procedures, with teams see only procedures linked to their teams' stations. Stations can only view procedures they are linked to.
Procedure Versions
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | linked | |
| Update | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ ǀ team | linked |
A procedure version is a tagged version of a procedure. Owners, Admins, and Developers have full access and can see all versions. Viewers without teams see all versions, with teams see only versions linked to their teams' stations. Stations can create and view versions for linked procedures only.
Stations
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ||
| Update | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ ǀ team | own |
A station is a test computer that pushes data via API. Owners, Admins, and Developers have full access and can see all stations. Viewers without teams see all stations, with teams see only their teams' stations. Stations can only view their own record.
Station API Keys
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ |
Station API keys are authentication tokens for stations. Owners, Admins, and Developers can create, delete, and view all station keys. Viewers have no access to station API keys.
Parts
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ✓ | |
| Update | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ | ✓ |
A part is a product identified by part number. Owners, Admins, Developers, and Viewers can see all parts. Stations can create and view parts, which are auto-created during run creation.
Revisions
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ✓ | |
| Update | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ | ✓ |
A revision is a version of a part, such as hardware or firmware. Owners, Admins, Developers, and Viewers can see all revisions. Stations can create and view revisions, which are auto-created during run creation.
Units
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ✓ | |
| Update | ✓ | ✓ | ✓ | ✓ | |
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ ǀ team | ✓ |
A unit is a device under test identified by serial number. Owners, Admins, and Developers have full access and can see all units. Viewers without teams see all units, with teams see only units tested by their teams' stations. Stations can create, update, and view units, which are auto-created during run creation and support sub-unit linking.
Batches
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ✓ | |
| Update | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ | ✓ |
A batch is a production batch identified by batch number. Owners, Admins, Developers, and Viewers can see all batches. Stations can create and view batches, which are auto-created during run creation.
Runs
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | linked | |
| Update | ✓ | ✓ | ✓ | linked | |
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ ǀ team | linked |
A run is a test execution result. Owners, Admins, and Developers have full access and can see all runs. Viewers without teams see all runs, with teams see only runs from their teams' stations. Stations can create, update, and view runs for linked procedures only.
Run Data
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ✓ | |
| View | ✓ | ✓ | ✓ | ✓ ǀ team | ✓ |
Run data contains phases and measurements within a run. Owners, Admins, and Developers can create and see all run data. Viewers without teams see all run data, with teams see only data from their teams' stations. Stations can create and view run data. Run data is immutable.
GitHub Installations
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | |||
| Update | on GitHub | on GitHub | |||
| Delete | on GitHub | on GitHub | |||
| View | ✓ | ✓ | ✓ | ✓ |
A GitHub installation is a connection to the GitHub app. Owners and Admins can install the app, while updates and uninstalls are done on GitHub. All roles can view installations.
Repositories
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ||
| Update | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ |
Repositories are synced from installed GitHub apps. Owners, Admins, and Developers can link and unlink repositories. Viewers have read-only access.
Branches
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| View | ✓ | ✓ | ✓ | ✓ |
Branches are git branches synced from GitHub. All user roles can view them.
Commits
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| View | ✓ | ✓ | ✓ | ✓ |
Commits are git commits synced from GitHub. All user roles can view them.
Pull Requests
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| View | ✓ | ✓ | ✓ | ✓ |
Pull requests are synced from GitHub. All user roles can view them.
Procedure Deployments
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ✓ | ✓ | ||
| Update | ✓ | ✓ | ✓ | ||
| Delete | ✓ | ✓ | ✓ | ||
| View | ✓ | ✓ | ✓ | ✓ ǀ team | linked |
A procedure deployment is a link between a commit and a procedure. Owners, Admins, and Developers can manage deployments and see all. Viewers without teams see all deployments, with teams see only deployments for their teams' procedures. Stations can view deployments for linked procedures only.
SSO
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ||||
| Update | ✓ | ||||
| Delete | ✓ | ||||
| View | ✓ |
SSO is the Single Sign-On configuration for the organization. Only Owners can manage SSO settings.
SCIM
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| Create | ✓ | ||||
| Update | ✓ | ||||
| Delete | ✓ | ||||
| View | ✓ |
SCIM is the user provisioning configuration for the organization. Only Owners can manage SCIM settings.
API Activity
| Action | Owner | Admin | Developer | Viewer | Station |
|---|---|---|---|---|---|
| View | ✓ | ✓ | ✓ |
API activity logs all API requests automatically. Owners, Admins, and Developers can view the logs. Logs are immutable.
How is this guide?