Overview

Roles bundle permissions governing Console operations, viewing runs, editing tests, managing agents, configuring gates, approving remediation, and administering the tenant. Role-based access control enforces least privilege across QA, engineering, SRE, compliance, and administrator functions.

Enterprise deployments typically define custom role profiles mapped to job functions rather than assigning organization administrator broadly. Segregation of duties separates remediation initiation from approval, and directory administration from audit export.

Permissions evaluate server-side on every action. UI visibility adapts to roles but must not be relied upon as a security boundary, unauthorized API requests receive forbidden responses regardless of interface state.

Who should read this

Organization administrators, security teams, and platform engineers designing enterprise RBAC models.

Prerequisites

Admin Center permission to view and assign roles
Documented access matrix mapping job functions to Console capabilities
Change management approval for role model modifications in regulated environments

When to use this workflow

Onboarding new team members to Zof terminology and workflows
Authoring internal runbooks aligned with Console labels
Designing CI/CD or webhook integrations against documented behavior

Step-by-step procedure

Inventory required capabilities

List Console areas and actions each job function requires, Operate, Quality, Automation, Governance, Platform, Admin Center.

Identify high-risk permissions: remediation approval, API key management, role assignment, audit export.

Document segregation-of-duties constraints prohibiting conflicting permissions on single accounts.

Review built-in and custom roles

Open Admin Center → Directory → Roles to examine existing role profiles.

Compare built-in roles against your access matrix and note gaps requiring custom profiles.

Avoid permission creep by starting from minimal built-in roles and adding only necessary grants.

Create or refine role profiles

Define custom roles with descriptive names reflecting job functions, QA Engineer, Release Manager, Remediation Approver.

Grant permissions required for the function and explicitly omit high-risk grants not needed.

Peer-review role definitions with security stakeholders before production assignment.

Assign roles to users and teams

Bind roles to users based on current job function, not historical convenience.

Use team-scoped role assignment patterns where supported to simplify onboarding.

Verify effective permissions with test accounts before rolling out new role profiles broadly.

Communicate role model to teams

Publish internal documentation explaining how to request access changes.

Train managers on appropriate role requests for direct reports joining reliability workflows.

Include role names in onboarding checklists alongside team assignments.

Conduct periodic access reviews

Schedule quarterly reviews where team leads validate member role assignments.

Remove excessive permissions discovered during reviews promptly.

Export audit evidence of review completion for compliance records.

Key concepts

Organization scope: All Zof Console and API operations are isolated to your authenticated tenant.
Governed execution: Agent output and remediation follow policy packs with human approval when configured.

Best practices

Never assign organization administrator for convenience, use narrowly scoped custom roles.
Separate remediation proposer and approver permissions in production environments.
Rotate and review API-related permissions independently from UI role assignments.
Document role definitions in a version-controlled access matrix synchronized with Console config.
Test permission changes in staging tenant or test organization before production rollout when available.

Common issues

User receives 403 despite visible UI elements: Cached sessions may show stale navigation. Permissions are authoritative server-side, verify role assignment and sign out/in after changes.
Role changes not effective immediately: Allow brief propagation time. If issues persist, confirm assignment scope, organization versus team, and contact support with user ID.
Over-privileged default roles: Audit new user default bindings. Replace broad defaults with function-specific roles during initial tenant hardening.