Skip to content

Access control

Explore roles, permissions, and access control options at an organization and database level.

Overview

When you set up your PlanetScale account, you're asked to create an Organization.

An organization is essentially a container for your databases, settings, and members. You can create multiple organizations in the same account for different applications or use cases. Within each organization, you can add members and assign them different roles. For even more control, you can assign roles at the database level within each organization as well.

Roles and permissions

We currently support three different roles in your organization:

Each role has a set of permissions assigned to it which determine what actions that role is allowed to take within an organization or database.

Organization Member

A member with the Organization Member role can only perform limited actions in an organization and on all databases in the organization.

You can find the complete set of permissions available to an Organization Member in the table below:

Organization-level permissions

PermissionsDescription
show_service_tokenView a service token in an organization
list_service_tokensView all service tokens in an organization
create_service_tokenCreate a service token in an organization
destroy_service_tokenDelete a service token in an organization
list_service_token_grantsView all service token grants in an organization
show_service_token_grantShow all service token grants in an organization
create_service_token_grantCreate a service token grant in an organization
destroy_service_token_grantDelete a service token grant in an organization
update_service_token_grantUpdate a service token grant in an organization
show_organizationView an organization
list_organization_membersView all members in an organization
show_organization_memberView a member in an organization
list_organization_audit_logsView all audit logs in an organization
update_integrationUpdate a third-party integration in an organization
list_databasesView all databases in an organization
show_databaseView a database in an organization
create_databaseCreate a new database in an organization

Database-level permissions

PermissionsDescription
list_database_membersView all members of a database in an organization
show_database_membersView a member of a database in an organization
request_deployCreate a deploy request of a database in an organization
show_branchView a branch of a database in an organization
show_databaseView a database in an organization
create_branchCreate a branch of a database in an organization
destroy_branchDelete a non-production branch of a database in an organization
list_query_statsView query statistics of a database in an organization
Note
These database-level permissions apply to all databases within an organization.

Database Administrator

A member with the Database Administrator role can perform all actions on the database for which they were assigned the Database Administrator role.

This role is assigned at the database level and therefore does not have any organization-level permissions. If you want to grant a member full access to manage one or several databases, but not the organization, then this is the role you want.

Database-level permissions

A Database Administrator has all of the "Database-level permissions" that an Organization Member has, as well as the following:

PermissionsDescription
update_databaseUpdate settings of a specific database
destroy_databaseDelete a specific database
add_database_memberAdd a member to a specific database
remove_database_memberRemove a member from a specific database
update_database_memberUpdate the role of a specific database member
promote_branchPromote a branch of a specific database to production branch
destroy_production_branchDelete the production branch of a specific database
update_database_billingUpdate the billing plan of a specific database

Organization Administrator

An Organization Administrator can perform all actions in an organization, as well as all actions on every database within that organization. To see a full list of the database-level permissions, refer to the Database Administrator list of permissions.

Organization-level permissions

An Organization Administrator has all of the "Organization-level permissions" that an Organization Member has, as well as the following:

PermissionsDescription
update_organizationUpdate the settings of an organization
destroy_organizationDelete an organization
update_organization_memberUpdate the role of an organization member
remove_organization_memberRemove a member from an organization
invite_organization_memberInvite a member to an organization
cancel_organization_inviteCancel a member invitation to an organization
list_organization_invitationsView all organization invitations
update_ssoUpdate single sign-on settings in an organization
list_billing_sourcesView all payment methods
add_billing_sourceCreate a new payment method
list_billing_summariesView all billing summaries
list_organization_invoicesView all organization invoices
download_organization_invoiceDownload an organization invoice
create_production_service_token_grantCreate a service token grant to connect to a production database branch

Assign organization roles to members

You can follow the steps below to assign roles to your members. You must be an Organization Administrator to modify member roles.

  • In the PlanetScale dashboard, click on the Settings tab in the top navigation.
  • Click on "Members" in the sidebar on the left.
  • From here, you can click on the dropdown on the right under the "Role" column to select the role you want to apply to each member.

You can also invite new members to your organization and assign roles once they accept their invitation. New members will be added with the Organization Member role by default.

Note
Member role management is issued at the organization level. Each organization in your account may have different members with different access levels.

Assign roles at a database level

To assign a member the role of Database Administrator, follow the steps outlined below. You must be an Organization Administrator or an existing Database Administrator to manage the Database Administrator role.

Note
Members that create a database are automatically assigned the role of Database Administrator for that database.
  • In the PlanetScale dashboard, click on the name of the database you want to add a Database Administrator to.
  • Click on the "Settings" tab in the top navigation.
  • Click on "Administrators" in the sidebar on the left.
  • To add an administrator, click on the "Add administrator" button and select the member you wish to add as a Database Administrator.
  • From here, you can also remove a Database Administrator by clicking the "Remove" button next to their name.

Need help?

Get help from PlanetScale's support team, or join our GitHub Discussion board to see how others are using PlanetScale.

Was this page useful?
Last updated on November 18, 2021
Help us improve this page
PrivacyTerms© 2021 PlanetScale Inc.