DocPipe uses role-based access control (RBAC) to manage what users can do. Each user is assigned a role, and each role has a set of permissions.
Permission model
Permissions follow the format Group.Resource.Action. For example, Core.Pipe.Read grants read access to pipes.
Permission groups
| Group | Resources | Description |
|---|
| Core | Pipe, File, Pipeline | Document processing resources |
| Account | User, Role, ApiKey, WebhookSigningKey | Organization management |
| ApiKeyAuth | Trigger | API key authentication actions (e.g., submitting files via HTTP trigger) |
| Billing | Subscription | Subscription and billing management |
Actions
Each resource supports up to four actions:
| Action | Description |
|---|
| Read | View the resource |
| Create | Create new instances |
| Update | Modify existing instances |
| Delete | Remove instances |
Implied permissions
Some permissions imply others. For example:
Core.Pipe.Update implies Core.Pipe.Read. You can’t update what you can’t seeCore.Pipe.Delete implies Core.Pipe.ReadCore.Pipe.Create implies Core.Pipe.Read
This means you don’t need to explicitly grant Read when granting Create, Update, or Delete.
Complete permission reference
Core permissions
| Permission | Description |
|---|
Core.Pipe.Read | View pipes and their settings |
Core.Pipe.Create | Create new pipes |
Core.Pipe.Update | Edit pipe settings, activate/deactivate |
Core.Pipe.Delete | Delete pipes |
Core.File.Read | View uploaded files |
Core.File.Create | Upload files |
Core.File.Update | Re-run files |
Core.File.Delete | Delete files |
Core.Pipeline.Read | View pipeline configurations |
Core.Pipeline.Create | Create pipelines |
Core.Pipeline.Update | Edit pipelines in the editor |
Core.Pipeline.Delete | Delete pipelines |
Account permissions
| Permission | Description |
|---|
Account.User.Read | View organization members |
Account.User.Create | Invite users |
Account.User.Update | Edit user roles |
Account.User.Delete | Remove users |
Account.Role.Read | View roles |
Account.Role.Create | Create roles |
Account.Role.Update | Edit roles and permissions |
Account.Role.Delete | Delete roles |
Account.ApiKey.Read | View API keys |
Account.ApiKey.Create | Generate API keys |
Account.ApiKey.Update | Edit API keys |
Account.ApiKey.Delete | Delete API keys |
Account.WebhookSigningKey.Read | View webhook signing keys |
Account.WebhookSigningKey.Create | Generate signing keys |
Account.WebhookSigningKey.Update | Edit signing keys |
Account.WebhookSigningKey.Delete | Delete signing keys |
API key auth permissions
| Permission | Description |
|---|
ApiKeyAuth.Trigger.Create | Submit files via HTTP trigger using an API key |
Billing permissions
| Permission | Description |
|---|
Billing.Subscription.Read | View subscription and billing details |
Billing.Subscription.Create | Create subscriptions |
Billing.Subscription.Update | Manage subscription settings |
Billing.Subscription.Delete | Cancel subscriptions |
Creating a custom role
- Go to Settings → Roles
- Click Create role
- Enter a role name
- Select the permissions to grant
- Click Save
Start with a minimal set of permissions and add more as needed. It’s easier to grant additional access than to revoke it.
