
ADO Pilot uses three organization roles to control access to settings, billing, team management, and repository configuration. Every member of your org has exactly one role, and only **Admins** can change settings or invite people.

## The three roles

The dashboard shows the role descriptions on the **Team** page under **Role permissions**. The descriptions below reflect actual capability enforcement.

- **Admin** — Full access to all settings, billing, team management, and repository configuration.
- **Member** — Can view reviews. Cannot configure repository settings, change organization settings, manage members, or change notification settings.
- **Viewer** — Read-only access to review history and repository status. Cannot change settings.

## Capability matrix

ADO Pilot has three organization roles. The **Role permissions** card on the **Team** settings page in the dashboard shows each role's description.

- **Admin** — Full access to all settings, billing, team management, and repository configuration.
- **Member** — Can view reviews. Cannot configure repository settings, change organization settings, manage members, or change notification settings.
- **Viewer** — Read-only access to review history and repository status. Cannot change settings.

| Capability                                  | Admin | Member | Viewer |
| ------------------------------------------- | ----- | ------ | ------ |
| View dashboard, reviews, and findings       | Yes   | Yes    | Yes    |
| View repository status and integration page | Yes   | Yes    | Yes    |
| View team members                           | Yes   | Yes    | Yes    |
| View pending invites                        | Yes   | No     | No     |
| View billing and subscription               | Yes   | Yes    | Yes    |
| Configure repository settings               | Yes   | No     | No     |
| Change notification settings                | Yes   | No     | No     |
| Test webhooks                               | Yes   | No     | No     |
| Invite team members                         | Yes   | No     | No     |
| Cancel pending invites                      | Yes   | No     | No     |
| Remove team members                         | Yes   | No     | No     |
| Start Stripe checkout                       | Yes   | No     | No     |
| Open the Stripe billing portal              | Yes   | No     | No     |
| Change the overage cap                      | Yes   | No     | No     |

## What each role can read

All three roles share the same read access. Anyone in the org can:

- Open the dashboard and view review history and findings.
- View repository status and the Azure DevOps integration page.
- See who is on the team.
- View the current plan, usage, and invoices on the Billing page.

Read access is mostly shared across roles — the one exception is pending invites. Only Admins can see which invites are outstanding; Members and Viewers get an empty list, since invite emails are treated as PII.

## What only Admins can do

The following actions return HTTP 403 for any caller whose role is not `admin`. Members and Viewers see these errors today; only the Admin role can perform them.

| Action                       | Endpoint                                        | Error message returned to non-admins         |
| ---------------------------- | ----------------------------------------------- | -------------------------------------------- |
| Invite a team member         | `POST /api/settings/team`                       | Only admins can invite team members          |
| Cancel a pending invite      | `DELETE /api/settings/team?inviteId=…`          | Only admins can manage team members          |
| Remove a team member         | `DELETE /api/settings/team?memberId=…`          | Only admins can manage team members          |
| Start a Stripe checkout      | `POST /api/billing/checkout`                    | Only admins can manage billing               |
| Open the Stripe portal       | `POST /api/billing/portal`                      | Only admins can manage billing               |
| Change plan                  | `POST /api/billing/change-plan`                 | Only admins can manage billing               |
| Change the overage cap       | `PUT /api/billing/overage-cap`                  | Only admins can change the overage cap       |
| Change notification settings | `PUT /api/settings/notifications`               | Only admins can change notification settings |
| Send a test webhook          | `POST /api/settings/notifications/test-webhook` | Only admins can test webhooks                |
| Modify repository settings   | `PUT /api/settings/repositories`                | Only admins can modify repository settings   |

The error messages above are the literal strings returned by the API and asserted by the end-to-end test suite. If the dashboard surfaces one of these, the calling user does not have the Admin role.

The two billing endpoints — `POST /api/billing/portal` and `PUT /api/billing/overage-cap` — additionally require the calling admin to have recently re-confirmed their identity (a "step-up" check, valid for 15 minutes). If you have two-factor authentication enrolled, reconfirming means entering a fresh authenticator code; if you sign in with a password, it means re-entering that password; and if you sign in without a password — a magic link, an email code, or **Sign in with Microsoft** — it means entering a one-time code we email to your current address. Two-factor authentication is not required to use these endpoints. An admin whose step-up has expired is rejected with a `401` even though their role is `admin`; reconfirm your identity and retry. See [Step-up re-authentication](../trust/account-security.md#step-up-re-authentication) for details.

## Member vs Viewer today

The dashboard shows separate descriptions for **Member** and **Viewer**, and the role badge on the team list reflects which role each user holds. At the API layer, both roles currently fall through the same `orgRole !== "admin"` gate, so a Member and a Viewer see the same 403 messages for the same actions. Plan future role separation based on the descriptions in the **Role permissions** card, not on observed API behavior.

## Changing someone's role

Admins can change a member's role directly from the member list on the **Team** settings page. Click the three-dot action menu at the end of the member's row and choose **Change role**, then select the new role. The change takes effect immediately — no re-invite is required.

{% callout type="info" title="Choosing the right role" %}
Pick **Admin** only for people who manage your subscription or your repository configuration. Day-to-day reviewers should be **Members**. Stakeholders who only need to look at review history (auditors, managers) belong in **Viewer**.
{% /callout %}


