Roles and permissions

Owner, admin, SOC lead, analyst, viewer and auditor — enforced at the database.

Last updated 2/7/2026

SOCPilot uses six roles, enforced via row-level security in the database (not in the client).

Roles

  • Owner — full control, including billing, security policies and disconnect
  • Admin — can manage integrations, members, security and developer settings
  • SOC Lead — can approve response actions, manage suppression rules and assign cases
  • Analyst — can triage alerts, work investigations, generate briefs
  • Viewer — read-only access to alerts, investigations and briefs (no approvals, no exports)
  • Auditor — read-only access to compliance evidence packs and audit log

How roles are enforced

  • Roles live in a dedicated user_roles table — never on the user or profile object
  • A SECURITY DEFINER has_role() function is the single point of role evaluation
  • All RLS policies call has_role() — application code cannot bypass it

Workspace membership

Roles are scoped per organization. A user may have different roles in different workspaces (typical for MSSPs).

Related articles