Skip to main content
Updated May 10, 2026 The raff role command group manages IAM roles. System roles (Owner, Admin, Operator, Member, etc.) are immutable and managed by the platform; only custom roles can be created here. Every subcommand supports --output json for scripting. Alias: raff roles.

Subcommand index

SubcommandWhat it does
listList roles
getShow details for one role
createCreate a custom role
updateUpdate a custom role
deleteDelete a custom role

list

raff role list [--scope account|project] [--output table|json]
List roles, optionally filtered by scope. Output columns: ID, NAME, SLUG, SCOPE, SYSTEM, PERMISSIONS (count).

get

raff role get <role-id>
Show full role details — name, slug, scope, system flag, description, full permission list.

create

raff role create \
  --name <name> \
  --slug <slug> \
  --scope account|project \
  --permission <perm-name> [--permission ...] \
  [--description <text>]
Create a custom role. Required: --name, --slug, --scope, at least one --permission. Pass --permission multiple times to add several permissions. Discover permission names via raff permission list --scope <scope>. 
# Account-scoped read-only role
raff role create --name "Auditor" --slug auditor --scope account \
  --permission account.audit.read \
  --permission billing.read \
  --description "Read-only access for compliance"

# Project-scoped VM operator
raff role create --name "VM Operator" --slug vm-operator --scope project \
  --permission vm.read --permission vm.power

update

raff role update <role-id> \
  [--name <name>] \
  [--description <text>] \
  [--permission <perm-name>]...
Update a custom role. At least one flag must be provided. Passing --permission replaces the entire permission set; omit to keep current permissions.

delete

raff role delete <role-id> [--force]
Delete a custom role. System roles cannot be deleted. Pass --force to skip the confirmation prompt.

Permission commands

Browse the permission catalog.

raff_role (Terraform)

Declarative role management.

Member commands

Assign roles to members.
Last modified on May 11, 2026