Roles & Permissions

LaserData Cloud uses role-based access control (RBAC) to manage what each team member can see and do. Permissions are additive, hierarchical, and can be scoped at every level of the organization hierarchy.

Permission Hierarchy

Permissions follow the three-level organization hierarchy: Tenant → Division → Environment. Each level has its own set of permissions, and scoping determines where those permissions apply.

Tenant (Acme Corp)
├── Tenant Permissions (billing, members, roles, divisions, API keys)
│
├── Division: Platform Engineering
│   ├── Division Permissions (members, environments, settings)
│   │
│   ├── Environment: Production
│   │   └── Environment Permissions (deployments, configs, networking, telemetry, backups)
│   │
│   └── Environment: Staging
│       └── Environment Permissions (deployments, configs, networking, telemetry, backups)
│
└── Division: Data Engineering
    ├── Division Permissions (members, environments, settings)
    │
    └── Environment: Analytics
        └── Environment Permissions (deployments, configs, networking, telemetry, backups)

How Scoping Works

A role defines permissions at each level. The key flexibility is where those permissions apply:

Global Scope

Assign a role at the tenant level and its division/environment permissions apply to all divisions and all environments within them. This is the simplest model — one role covers everything.

Example: An Admin role with full tenant, division, and environment permissions — the member can manage everything across every division and environment.

Per-Division Scope

Override the role's default division permissions for specific divisions. A member might have full access to the "Platform Engineering" division but read-only access to "Data Engineering".

When you set per-division overrides:

The overridden division uses the specific permissions you define
All other divisions use the role's default division permissions

Per-Environment Scope (within a Division)

Within a per-division override, you can further scope environment permissions to specific environments. A member might manage deployments in the Production environment but only view them in Staging.

When you set per-environment overrides within a division:

The overridden environments use the specific permissions you define
All other environments in that division use the division override's default environment permissions

Scoping Examples

Scenario	How to Configure
Full access to everything	Global scope — set all permissions at tenant, division, and environment level
Full access to one division only	Per-division override with full permissions; no default division permissions
Deploy to Production, view Staging	Per-division override with per-environment overrides: `deployment:manage` on Production, `deployment:read` on Staging
Billing only, no infrastructure access	Tenant-level `billing:manage` and `subscription:manage`; no division or environment permissions
Read-only across all divisions	Global scope with `read` permissions at every level

Tenant Permissions

These apply at the tenant level — across all divisions and environments.

Permission	Read	Manage
info	View tenant information	Update tenant information
audit	View audit logs	—
settings	View tenant settings	Update tenant settings
role	View roles	Create, update, and delete roles
member	View members	Invite, update, and remove members
subscription	View subscription plan	Change subscription plan
billing	View billing and payment	Update billing and payment
division	View divisions	Create, update, and delete divisions
api_key	View API keys	Create and delete API keys

Division Permissions

These apply within a division. When set globally, they apply to all divisions. When set per-division, they apply only to that specific division.

Permission	Read	Manage
info	View division information	Update division information
audit	View division audit logs	—
settings	View division settings	Update division settings
role	View division roles	Create, update, and delete division roles
member	View division members	Invite, update, and remove division members
environment	View environments	Create, update, and delete environments
api_key	View division API keys	Create and delete division-scoped API keys

Environment Permissions

These control access to deployments and their subsystems within an environment. Environment permissions can be set globally (all environments in all divisions), per-division (all environments in one division), or per-environment (one specific environment).

Permission	Read	Manage
info	View environment information	Update environment information
deployment	View deployments	Create, update, and delete deployments
deployment:config	View deployment configuration	Modify configuration, create versions, activate
deployment:access	View access rules	Create, update, and delete access rules
deployment:network	View VPC peering and PrivateLink	Create and manage network connections
deployment:task	View deployment tasks	Execute deployment tasks
deployment:telemetry	View monitoring data	Configure telemetry retention
deployment:backup	View backups	Create and delete backups
deployment:connector	View connectors	Manage connector instances and configurations
deployment:log	View deployment logs	—

Every permission has a read and manage variant. Manage always implies read.

Built-in Role Templates

When creating roles, you can start from these templates:

Template	Tenant Permissions	Division Permissions	Environment Permissions
Owner	Full access	Full access	Full access
Admin	Full access	Full access	Full access
Developer	View info, members, roles, divisions, API keys	View info, members, roles, environments	View and manage deployments, configs, access, networking, telemetry, connectors, logs
Viewer	View info, settings, roles, members, divisions	View info, settings, roles, members, environments	View all (no manage)
Billing	View info, manage subscription and billing	No access	No access

Templates are starting points — customize them as needed for your team structure.

Custom Roles

From the Console

Navigate to your tenant's Roles page
Click Create Role
Enter a name for the role
Configure tenant-level permissions — these always apply globally
Configure default division permissions — these apply to all divisions unless overridden
Configure default environment permissions — these apply to all environments unless overridden
Optionally, add per-division overrides:
- Select a specific division
- Set division permissions for that division
- Set default environment permissions within that division
- Optionally, add per-environment overrides within the division for even more granular control
Save the role

Assigning Roles

A role is assigned when a member is invited, or at any time afterward
Members can hold multiple roles — permissions are combined additively
Changes take effect immediately on the member's next request

Plan Limits

Resource	Basic	Pro	Enterprise
Custom roles	2	10	20
Members	3	10	20
Invitations	2	10	20

API Reference

Get Role Details

curl https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id} \
  -H "ld-api-key: YOUR_API_KEY"

Returns the full role definition including all permissions and scoping overrides.

Get Role Members

curl "https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id}/members?page=1&results=10" \
  -H "ld-api-key: YOUR_API_KEY"

Invite a Member

curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/invitations \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "roles": [123]
  }'

List Members

curl "https://api.laserdata.cloud/tenants/{tenant_id}/members?page=1&results=10" \
  -H "ld-api-key: YOUR_API_KEY"

{
  "data": [
    {
      "id": 1,
      "email": "user@example.com",
      "name": "Jane Smith",
      "active": true,
      "roles": ["admin"],
      "created_at": "2025-01-15T10:30:00Z"
    }
  ],
  "page": 1,
  "results": 10,
  "total": 1
}

Update a Member

curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/members/{member_id} \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "active": true,
    "roles": [123, 456]
  }'

Remove a Member

curl -X DELETE https://api.laserdata.cloud/tenants/{tenant_id}/members/{member_id} \
  -H "ld-api-key: YOUR_API_KEY"

Create a Custom Role

curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/roles \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "developer",
    "permissions": {
      "tenant": ["info:read", "member:read", "division:read"],
      "division": ["environment:read", "environment:manage"],
      "divisions": {
        "1": {
          "permissions": ["environment:read"],
          "environment": ["deployment:read", "deployment:manage"],
          "environments": {
            "2": ["deployment:read", "deployment:manage", "deployment:telemetry:read"]
          }
        }
      }
    }
  }'

List Roles

curl "https://api.laserdata.cloud/tenants/{tenant_id}/roles?page=1&results=10" \
  -H "ld-api-key: YOUR_API_KEY"

{
  "data": [
    {
      "id": 1,
      "name": "admin",
      "kind": "built_in"
    },
    {
      "id": 2,
      "name": "developer",
      "kind": "custom"
    }
  ],
  "page": 1,
  "results": 10,
  "total": 2
}

Assign Members to a Role

curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id}/members/assign \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "members": [1, 2, 3]
  }'

Revoke Members from a Role

curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id}/members/revoke \
  -H "ld-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "members": [1]
  }'

Delete a Role

curl -X DELETE https://api.laserdata.cloud/tenants/{tenant_id}/roles/{role_id} \
  -H "ld-api-key: YOUR_API_KEY"

List Invitations

curl "https://api.laserdata.cloud/tenants/{tenant_id}/invitations?page=1&results=10" \
  -H "ld-api-key: YOUR_API_KEY"

Delete an Invitation

curl -X DELETE https://api.laserdata.cloud/tenants/{tenant_id}/invitations/{invitation_id} \
  -H "ld-api-key: YOUR_API_KEY"