Product Chevon-Down
Developer-First Features Certification and Conformance Why Authlete
Solutions Chevon-Down
BY INDUSTRY
Financial Services Media, Entertainment, and Sports B2B SaaS System Integration and Consulting
BY USE CASE
CIAM Transformation Open API OAuth/OIDC Modernization
IMPLEMENTATION
Customer Stories
Pricing
Developers
Resources Chevon-Down
Datasheets and Diagrams Whitepapers and Reports Videos Blog
Company Chevon-Down
About Leadership Careers News
Hamburger Menu
Free Trial
EN
JA

User Permissions

Table of Contents

Authlete Access Control & Permission Model

In Authlete, access control is implemented across three independent scopes:

  • Organization

  • Service

  • Client

Each scope supports two access levels:

  • Admin

  • Viewer

Privileges are explicitly assigned per scope and do not automatically inherit, allowing enforcement of least-privilege access.

1. Organization Privileges

Scope

Organization-level privileges govern tenant wide administration and governance.

Organization Admin

An Organization Admin can:

  • Manage organization settings and metadata

  • Invite and manage users and assign permissions

  • Generate organization-level administrative access tokens

  • Perform service import / migration operations

  • View organization-wide audit logs

  • Perform irreversible administrative actions (e.g., organization deletion)

Organization Viewer

An Organization Viewer can:

  • View organization metadata (name, ID, plan)

  • View configuration screens in a read-only capacity

An Organization Viewer cannot:

  • Modify organization settings

  • Manage users or permissions

  • Generate administrative tokens

  • Perform imports, migrations, or destructive actions

  • Access audit logs

2. Service Privileges

Scope

Service-level privileges control the configuration and behavior of an individual OAuth / OpenID Connect authorization service.

Service Admin

A Service Admin can:

  • Configure OAuth/OIDC endpoints and flows

  • Manage grant types, response types, and token behavior

  • Configure cryptographic and security features (PKCE, mTLS, FAPI, CIBA, etc.)

  • Manage federation, dynamic client registration, and advanced protocol features

  • Generate service-level access tokens

  • Delete the service

These permissions directly affect runtime authentication and authorization behavior.

Service Viewer

A Service Viewer can:

  • View service configuration and settings in a read-only capacity

A Service Viewer cannot:

  • Modify endpoints or protocol behavior

  • Generate service tokens

  • Enable or disable security features

  • Delete the service

3. Client Privileges

Scope

Client-level privileges apply to OAuth / OpenID Connect client applications.

Client Admin

A Client Admin can:

  • Create, modify, rotate, and delete clients

  • Manage client credentials, redirect URIs, and client-specific settings

Client Viewer

A Client Viewer can:

  • View client configuration in a read-only capacity

A Client Viewer cannot:

  • Modify client configuration

  • Rotate secrets or delete clients

Permission Summary (Audit View)

Permission Scope Admin Capabilities Viewer Capabilities
Organization Tenant administration, users, tokens, audit logs Read-only organization visibility
Service Full authorization server configuration Read-only service visibility
Client Full client lifecycle management Read-only client visibility