A group rule defines the roles and associated resources that determine what group members and API keys can access, as well as the level of permissions granted.

Group with no rules

When a group rule doesn’t have any explicit resources, the group will always have access to all resources within the organization.

In the same way, if a rule is limited to a single resource and that resource is deleted from the organization, the rule will fallback to having access to all resources within the organization.

Unlike limiting resources, if a group doesn’t have any rule assigned, this will result in the group effectively not having access to any resource.

Roles

You can assign multiple roles to a group using the Add rule button. If no group rules are configured, group members will not have access to any resources.

Role selector

Each role can be added only once per group. After assigning a role, you may associate it with multiple resources, but you cannot create additional rules for the same role.

The order in which the roles are assigned to the role doesn’t have any effect when performing checks. For example, given the following group:

The members for this group will have Admin access to the default namespace and Viewer to the test and any other namespace that may exist in the organization.

If the namespace default is deleted, the Admin would take priority as the limitation no-longer exists.

With this in mind, members of the following example will have Organization Admin access to all resources.

Organization Roles

These roles apply at the organization level and cannot be limited to specific resources:

  1. Admin — Full permissions to create and manage all services.
  2. Developer — Read and write access to all organizational objects.
  3. API Key Manager — Permissions to create, modify, and delete API keys.
  4. Viewer — Read-only access to all organizational objects.

An organization Developer have access to manage namespaces, create and publish graphs while an Admin is able to perform these operations on top of managing the organization settings.

Namespace Roles

  1. Admin — Read and write access to assigned namespaces.
  2. Viewer — Read-only access to assigned namespaces.

If no resources are assigned, the group is granted access to all namespaces in the organization. Groups with the Admin role will also be able to create new namespaces.

Graph Roles

  1. Admin — Read and write access to assigned graphs.
  2. Viewer — Read-only access to assigned graphs.

Graph resources can be assigned in one of two ways:

  • Namespace: Grants access to all graphs within the selected namespace, including permission to create new graphs.
  • Specific graphs: Limits access to only the selected graphs.

If no graphs are explicitly assigned, the group will have access to all graphs in the organization. Groups with the Admin role will also be able to create new graphs.

Graph resource selector

Subgraph Roles

  1. Admin — Read and write access to assigned subgraphs.
  2. Publisher — Read and write access to assigned subgraphs, but cannot create new ones.

Subgraph resources can be assigned similarly:

  • Namespace: Grants access to all subgraphs within the selected namespace, including permission to create new subgraphs.
  • Specific subgraphs: Restricts access to only the selected subgraphs.

If no subgraph resources are assigned, the group will have access to all subgraphs in the organization.

Resources

Graph resource selector

Resources represent the entities available within your organization, including but not limited to:

  • Namespaces
  • Federated Graphs
  • Subgraphs