Roles and permissions

What Admin, Member, and Viewer roles can do in ADO Pilot, and the exact errors you see when a non-admin tries an admin-only action.

Last updated

ADO Pilot uses three organization roles to control access to settings, billing, team management, and repository configuration. Every member of your org has exactly one role, and only Admins can change settings or invite people.

The three roles

The dashboard shows the role descriptions on the Team page under Role permissions. The descriptions below reflect actual capability enforcement.

  • Admin — Full access to all settings, billing, team management, and repository configuration.
  • Member — Can view reviews. Cannot configure repository settings, change organization settings, manage members, or change notification settings.
  • Viewer — Read-only access to review history and repository status. Cannot change settings.

Capability matrix

ADO Pilot has three organization roles. The Role permissions card on the Team settings page in the dashboard shows each role's description.

  • Admin — Full access to all settings, billing, team management, and repository configuration.
  • Member — Can view reviews. Cannot configure repository settings, change organization settings, manage members, or change notification settings.
  • Viewer — Read-only access to review history and repository status. Cannot change settings.
CapabilityAdminMemberViewer
View dashboard, reviews, and findingsYesYesYes
View repository status and integration pageYesYesYes
View team membersYesYesYes
View pending invitesYesNoNo
View billing and subscriptionYesYesYes
Configure repository settingsYesNoNo
Change notification settingsYesNoNo
Test webhooksYesNoNo
Invite team membersYesNoNo
Cancel pending invitesYesNoNo
Remove team membersYesNoNo
Start Stripe checkoutYesNoNo
Open the Stripe billing portalYesNoNo
Change the overage capYesNoNo

What each role can read

All three roles share the same read access. Anyone in the org can:

  • Open the dashboard and view review history and findings.
  • View repository status and the Azure DevOps integration page.
  • See who is on the team.
  • View the current plan, usage, and invoices on the Billing page.

Read access is mostly shared across roles — the one exception is pending invites. Only Admins can see which invites are outstanding; Members and Viewers get an empty list, since invite emails are treated as PII.

What only Admins can do

The following actions return HTTP 403 for any caller whose role is not admin. Members and Viewers see these errors today; only the Admin role can perform them.

ActionEndpointError message returned to non-admins
Invite a team memberPOST /api/settings/teamOnly admins can invite team members
Cancel a pending inviteDELETE /api/settings/team?inviteId=…Only admins can manage team members
Remove a team memberDELETE /api/settings/team?memberId=…Only admins can manage team members
Start a Stripe checkoutPOST /api/billing/checkoutOnly admins can manage billing
Open the Stripe portalPOST /api/billing/portalOnly admins can manage billing
Change the overage capPUT /api/billing/overage-capOnly admins can change the overage cap
Change notification settingsPUT /api/settings/notificationsOnly admins can change notification settings
Send a test webhookPOST /api/settings/notifications/test-webhookOnly admins can test webhooks
Modify repository settingsPUT /api/settings/repositoriesOnly admins can modify repository settings

The error messages above are the literal strings returned by the API and asserted by the end-to-end test suite. If the dashboard surfaces one of these, the calling user does not have the Admin role.

The two billing endpoints — POST /api/billing/portal and PUT /api/billing/overage-cap — additionally require the calling admin to have recently re-confirmed their identity (a "step-up" check, valid for 15 minutes). If you have two-factor authentication enrolled, reconfirming means entering a fresh authenticator code; if you sign in with a password, it means re-entering that password; and if you sign in without a password — a magic link, an email code, or Sign in with Microsoft — it means entering a one-time code we email to your current address. Two-factor authentication is not required to use these endpoints. An admin whose step-up has expired is rejected with a 401 even though their role is admin; reconfirm your identity and retry. See Step-up re-authentication for details.

Member vs Viewer today

The dashboard shows separate descriptions for Member and Viewer, and the role badge on the team list reflects which role each user holds. At the API layer, both roles currently fall through the same orgRole !== "admin" gate, so a Member and a Viewer see the same 403 messages for the same actions. Plan future role separation based on the descriptions in the Role permissions card, not on observed API behavior.

Changing someone's role

Admins can change a member's role directly from the member list on the Team settings page. Click the three-dot action menu at the end of the member's row and choose Change role, then select the new role. The change takes effect immediately — no re-invite is required.