DocPipe uses role-based access control (RBAC) to manage what users can do. Each user is assigned a role, and each role has a set of permissions.
Permission model
Permissions follow the format Group.Resource.Action. For example, Core.Pipe.Read grants read access to pipes.
Permission groups
| Group | Resources | Description |
|---|
| Core | Pipe, Document, Pipeline, Template, Workspace, Run, Review, AlertRule | Document processing resources |
| Account | User, Role, ApiKey, WebhookSigningKey, Organization | Organization management |
| ApiKeyAuth | Trigger | API key authentication actions (e.g., submitting documents via webhook trigger) |
| Subscription | Plan | Subscription and billing management |
Actions
Each resource supports up to four actions:
| Action | Description |
|---|
| Read | View the resource |
| Create | Create new instances |
| Update | Modify existing instances |
| Delete | Remove instances |
Implied permissions
Some permissions imply others. For example:
Core.Pipe.Update implies Core.Pipe.Read. You can’t update what you can’t seeCore.Pipe.Delete implies Core.Pipe.ReadCore.Pipe.Create implies Core.Pipe.Read
This means you don’t need to explicitly grant Read when granting Create, Update, or Delete.
Baseline permissions
A few permissions are granted to every user automatically and cannot be revoked by a role. In the role permissions dialog, these show up as toggles that are always on and cannot be unchecked.
Today, the only baseline permission is:
Core.Workspace.Read: every user can see the workspaces they belong to.
Baseline permissions are enforced by DocPipe itself, not by the role. You do not need to grant them when creating a custom role, and you cannot take them away.
Complete permission reference
Core permissions
| Permission | Description |
|---|
Core.Pipe.Read | View pipes and their settings |
Core.Pipe.Create | Create new pipes |
Core.Pipe.Update | Edit pipe settings, activate/deactivate |
Core.Pipe.Delete | Delete pipes |
Core.Document.Read | View uploaded documents |
Core.Document.Create | Upload documents |
Core.Document.Update | Re-run documents |
Core.Document.Delete | Delete documents |
Core.Pipeline.Read | View pipeline configurations |
Core.Pipeline.Update | Edit pipelines in the editor |
Core.Run.Read | View runs |
Core.Run.Create | Start pipeline runs |
Core.Run.Update | Cancel runs |
Core.Review.Read | View review tasks |
Core.Review.Update | Approve or reject review tasks |
Core.Template.Read | View templates |
Core.Template.Create | Create templates |
Core.Template.Update | Edit templates |
Core.Template.Delete | Delete templates |
Core.Workspace.Read | View workspaces (baseline, granted to every user) |
Core.Workspace.Create | Create new workspaces |
Core.Workspace.Update | Rename workspaces |
Core.Workspace.Delete | Delete workspaces |
Core.AlertRule.Read | View alert rules |
Core.AlertRule.Create | Create new alert rules |
Core.AlertRule.Update | Edit alert rules |
Core.AlertRule.Delete | Delete alert rules |
Account permissions
| Permission | Description |
|---|
Account.User.Read | View organization members |
Account.User.Create | Invite users |
Account.User.Update | Edit user roles |
Account.User.Delete | Remove users |
Account.Role.Read | View roles |
Account.Role.Create | Create roles |
Account.Role.Update | Edit roles and permissions |
Account.Role.Delete | Delete roles |
Account.ApiKey.Read | View API keys |
Account.ApiKey.Create | Generate API keys |
Account.ApiKey.Update | Edit API keys |
Account.ApiKey.Delete | Delete API keys |
Account.WebhookSigningKey.Read | View webhook signing keys |
Account.WebhookSigningKey.Create | Generate signing keys |
Account.WebhookSigningKey.Delete | Delete signing keys |
Account.Organization.Read | View organization details |
Account.Organization.Update | Update organization name and settings |
Account.Organization.Delete | Delete the organization |
API key auth permissions
| Permission | Description |
|---|
ApiKeyAuth.Trigger.Create | Submit documents via webhook trigger using an API key |
Subscription permissions
| Permission | Description |
|---|
Subscription.Plan.Read | View subscription and billing details |
Subscription.Plan.Create | Create subscriptions |
Creating a custom role
- Go to Settings → Roles
- Click New Role
- Enter a role name
- Select the permissions to grant
- Click Save
A small number of toggles in the permission grid appear always on and cannot be unchecked. These are
baseline permissions that DocPipe grants to every user.
Start with a minimal set of permissions and add more as needed. It’s easier to grant additional access than to revoke it.
