'%20filter='url(%23b)'%20transform='translate(0%20-286)'/%3e%3cpath%20d='M1636.5%20147c-123.436%200-223.5%20102.975-223.5%20230s100.064%20230%20223.5%20230S1860%20504.025%201860%20377c-.143-126.964-100.124-229.853-223.5-230Zm107.16%20308.341c-1.892%202.323-4.973%203.231-7.78%202.295l-98.896-32.908-98.896%2032.908c-2.807.933-5.884.022-7.774-2.3-1.89-2.32-2.212-5.587-.815-8.25l101.128-192.49c1.376-2.238%203.776-3.596%206.357-3.596%202.58%200%204.981%201.358%206.357%203.596l101.128%20192.49c1.401%202.663%201.08%205.932-.81%208.255Z'%20fill='url(%23c)'%20filter='url(%23d)'%20transform='translate(0%20-286)'/%3e%3c/g%3e%3c/svg%3e)
Access control and permissions
Loopback uses role-based access control (RBAC) at organization, project, and workspace granularity. This page translates internal permission keys into plain-language capabilities so you can design roles and audits.
Rule of thumb: if an action touches infrastructure, secrets, or money, it has a dedicated permission — not just “workspace read”.
How enforcement works (conceptually)
- Your account has memberships in organizations.
- Each membership assigns roles.
- Each role grants allow on permission keys for specific resources (org-wide, or narrowed to a project / workspace).
- Every API action checks read / create / update / delete / execute as appropriate.
Organization-level permission areas
- Organization — core org read/update (profile, status-adjacent fields as exposed).
- Organization.billing — invoices, spending, financial settings.
- Organization.project — list/create/update projects.
- Organization.membership — add/remove members, change their roles (where UI exposes).
- Organization.membership_invite — invite users.
- Organization.role — manage custom roles.
- Organization.payment_method — cards/SEPA.
- Organization.authentication_provider — IdP for Loopback login.
- Organization.domain — domain records.
- Organization.dns_record / organization.dns_record_zone — DNS at org scope.
- Organization.firewall / organization.firewall.rule — org firewalls (legacy paths may exist).
- Organization.notification_channel — alert destinations.
- Organization.monitoring_source — monitoring catalog entries.
- Organization.bundle (+ repository, environment, revision, image, manifest, deployment) — bundles lifecycle.
Project-level permission areas
- Project.dns_zone — project DNS zones.
- Project.object_store — list/create buckets.
- Project.object_store.credentials — issue/rotate keys.
- Project.object_store.policy — policy docs.
- Project.load_balancer (+ target, service) — project LBs.
- Project.monitoring_object (+ condition, state) — configure probes.
- Project.monitoring.alert — view/ack alerts (exact split depends on UI).
- Project.bundle.environment / project.bundle.revision — bundle helpers scoped to project navigation.
Workspace-level permission areas
- Project.workspace — baseline workspace CRUD and read.
- Project.workspace.kubernetes — Kubernetes metadata (versions list, etc.).
- Project.workspace.kubernetes.deployments — view/manage deployment listings exposed to portal.
- Project.workspace.kubernetes.kubeconf — download admin kubeconfig.
- Project.workspace.kubernetes.authenticate — retrieve OIDC kubeconfig / exec permission.
- Project.workspace.kubernetes.secrets — portal access to Kubernetes secret workflows (if enabled).
- Project.workspace.host — list/order/delete hosts.
- Project.workspace.host.shell_session — open remote shell sessions (highly sensitive).
- Project.workspace.agent_token — create/list/revoke agent install tokens.
- Project.workspace.scaling_group — autoscaling groups.
- Project.workspace.firewall / firewall.rule — workspace firewalls (environment-gated in some builds).
- Project.workspace.load_balancer (+ targets/services) — workspace-scoped LBs.
- Project.workspace.dns_zone — DNS zones pinned to workspace.
- Project.workspace.bundle.deployment — bundle deployments targeting this workspace.
Sensitive combinations (SOC2-minded)
| Capability | Risk |
|---|---|
| kubernetes.kubeconf | Full cluster admin file — treat as break-glass. |
| host.shell_session | Interactive root on servers — log heavily; time-bound. |
| object_store.credentials | Data exfiltration / bucket wipe. |
| agent_token create | Lets installer join malicious machines into workspace fleet. |
| billing | Financial fraud or invoice visibility. |
Audit
Many sensitive routes declare audit keys (e.g. kubeconfig download, host create, maintenance update). Your operator should forward audit logs to SIEM.