Overview

Authorization is enforced via role-based access control (RBAC) at organization, team, and resource levels. Permissions cover Console navigation, API operations, agent enablement, release gate configuration, and Admin Center access.

Service accounts for automation should receive minimal roles (typically QA Engineer or custom role with runs:create and projects:read only).

Who should read this

QA engineers, SREs, platform teams, and developers operating Zof Console and APIs.

When to use this workflow

Onboarding new team members to Zof terminology and workflows
Authoring internal runbooks aligned with Console labels
Designing CI/CD or webhook integrations against documented behavior

Step-by-step procedure

Review default roles

Admin Center → Roles → inspect built-in role permission matrices.

Document which roles can approve remediation, edit release gates, and manage API keys.

Assign roles to members

Admin Center → Users → select member → assign organization role.

Optional team-level overrides for large organizations.

Validate API enforcement

Attempt restricted operation with lower-privilege key in staging.

Confirm 403 Forbidden with clear error code before production automation.

Key concepts

Organization Admin: Full Admin Center access including billing, security, and policy packs.
QA Lead: Manage test assets, approve release gates, view all runs in scope.
Engineer: Trigger runs, view results, limited policy configuration.
Viewer: Read-only access to dashboards and reports.

Best practices

Principle of least privilege for automation service accounts
Audit role changes via Admin Center audit log monthly
Separate approvers from executors for governed remediation workflows