The full list of System roles on Raff — three account-level (Admin, Billing, Member) and four project-level (Project Admin, Operator, Project Member, Viewer) — with every permission each one grants
Use this file to discover all available pages before exploring further.
Updated May 8, 2026This page is the spec sheet for the 7 System roles that ship with every Raff account. The model itself is on Roles, scopes, and the Owner; read it first if you haven’t.
These apply to a member at the account level. Account roles control account-wide concerns: who’s invited, billing, audit log, account-wide API keys, the list of projects.They do not grant access to project resources. A member with only an account role cannot see VMs, VPCs, IPs, or any other project resource until they’re explicitly given a project role on that project.
A purpose-built role for finance / accounting people who only need to see and pay invoices.
Category
Permission
Granted?
Billing
account.billing.view — View billing information
✅
account.billing.manage — Manage billing and payments
✅
Everything else is denied. The Billing role explicitly cannot see members, projects, audit logs, or any account settings — keeps the finance person scoped exactly to invoices and payment methods.
The lightest account role. Read-only at the account level, useful as a base for someone who’ll mostly work inside specific projects.
Category
Permission
Granted?
Account Settings
account.settings.view
✅
Members
account.members.view
✅
Projects
account.projects.view
✅
A typical pattern: invite a developer with Member at the account level (so they see who else is on the team and what projects exist), then grant them Project Member or Project Admin on the projects they actually work in.
These apply to a member on a specific project. Each grant pairs a member, a project, and one role — the same member can hold different roles on different projects.
Role
Description
Total permissions
Project Admin
Full project access
40
Operator
Manage resources without delete
~29
Project Member
Basic project access
~11
Viewer
Read-only project access
~9
The exact counts shift slightly as new resources land (Object Storage, Kubernetes, etc.); the dashboard’s role-detail view is always authoritative. The categories below show the structure.
Everything inside the project. The project-domain equivalent of “Owner without account access.”
Category
Permissions
Granted
Project Members
view / invite / manage / remove
4 / 4
Virtual Machines
view / create / delete / power / manage / console
6 / 6
Networking (VPC)
view / create / delete / manage
4 / 4
(Other resource categories)
View / create / manage / delete on every project resource
All
Use Project Admin when you want a member to fully run a project — VMs, networking, members, settings — without giving them anything at the account level.
Operator (~29 permissions — manage without delete)
Identical to Project Admin except destructive operations are removed: no vm.delete, no vpc.delete, no project.members.remove, etc. Operators can power, manage, and create — but not destroy.Useful for on-call rotations, deploy automation, and contractors who shouldn’t be able to wipe things out by accident.
A handful of read permissions on other resource types
The default level for most engineers — they can see everything in the project and do day-to-day operational tasks (reboot a VM, view logs/metrics) but they can’t create, delete, or modify configurations.
Pure read access. View VMs, view VPCs, view IPs, view members, view project settings — no power actions, no creates, no deletes, no console access.The right role for compliance / audit team members and read-only dashboards.
The “External customer” pattern uses the Project-only scope you see on the Members list — no account role, project roles only. Useful for white-labeled hosting, multi-tenant isolation, or any case where the member shouldn’t see anything outside their project.
