Roles
RAMP uses a comprehensive role-based access control (RBAC) system to govern who can view, edit, and manage resources. Roles exist at multiple levels and can be assigned to individual users or to groups.
Role Levels
Section titled “Role Levels”RAMP has four levels of roles:
| Level | Scope | Examples | Assigned By |
|---|---|---|---|
| Application Roles | Entire tenant | Administrator, SuperUser, GlobalTemplateEditor | Administrators |
| Template Roles | Single template | Template Owner, Template Editor | Template Owners |
| Instance Roles | Single instance | Instance Head, Executor, Observer | Instance Heads |
| System Roles | Single system | System Manager, Coordinator | Administrators, System Managers |
Application Roles (18 Roles)
Section titled “Application Roles (18 Roles)”Application roles are tenant-wide roles assigned through the Administration area. They fall into several categories.
Administrative Roles
Section titled “Administrative Roles”| Role | Value | Description |
|---|---|---|
| Administrator | 1 | Manages system settings, users, groups, and configuration. Cannot access content (templates, instances, systems) without additional roles. |
| SuperUser | 2 | Full access to all content. Bypasses most permission checks. Cannot edit completed/cancelled instances or use force actions. |
| TenantAdministrator | 3 | Manages multi-tenant infrastructure. Cannot access tenant content. Uses separate login at /_tenantadmin/login. Only available when multi-tenancy is enabled. |
Global Template Roles
Section titled “Global Template Roles”Global template roles grant permissions across all templates in the system, including templates created in the future.
| Role | Value | Description |
|---|---|---|
| GlobalTemplateOwner | 11 | Full control of all templates: edit settings, assign roles, publish, approve, delete. |
| GlobalTemplateEditor | 12 | Edit and publish on all templates. Cannot delete templates or assign roles. |
| GlobalTemplateViewer | 13 | Read-only access to all templates. Can add comments. |
| GlobalTemplateApprover | 14 | Can approve published versions on all templates. |
Global Instance Roles
Section titled “Global Instance Roles”Global instance roles grant permissions across all instances in the system.
| Role | Value | Description |
|---|---|---|
| GlobalInstanceHead | 20 | Full control of all instances: manage team, control lifecycle, force actions. |
| GlobalInstanceDeputyHead | 21 | Nearly full control. Cannot assign Instance Head role. |
| GlobalInstanceEditor | 22 | Edit notes and comments on all instances. Edit draft properties. |
| GlobalInstanceExecutor | 23 | Execute steps on all instances. Start instances. |
| GlobalInstanceObserver | 24 | Read-only access to all instances. Can add comments. |
Other Application Roles
Section titled “Other Application Roles”| Role | Value | Description |
|---|---|---|
| TemplateCreator | 10 | Can create new templates. Automatically becomes Template Owner on created templates. |
| SystemManager | 30 | Can manage systems: add stages, assign system roles. |
| CalendarManager | 50 | Can manage calendars, time zones, and holidays. |
| MessageSubscriber | 60 | Receives general system notifications. |
| PreEscalationSubscriber | 61 | Receives pre-escalation warnings. |
| EscalationSubscriber | 62 | Receives escalation alerts. |
When to Use Global Roles
Section titled “When to Use Global Roles”Use global roles. Assigning roles to individual templates and instances creates unnecessary overhead when the same people work across everything.
Example: Instead of assigning John as Template Editor on 50 templates individually, assign him GlobalTemplateEditor once.
Use individual role assignments. Different teams own different templates and instances, and access should be restricted to what each person needs.
Example: The database team gets Template Editor on database templates only, while the networking team gets their own set of templates.
Template Roles (4 Roles)
Section titled “Template Roles (4 Roles)”Template roles are assigned per template and control what a user can do with that specific template.
| Role | Description | Can Edit | Can Publish | Can Approve | Can Delete | Can Assign Roles |
|---|---|---|---|---|---|---|
| Template Owner | Full control of the template | Yes | Yes | Yes | Yes | Yes |
| Template Editor | Edit and publish versions | Yes | Yes | No | No | No |
| Template Viewer | Read-only access | No | No | No | No | No |
| Template Approver | Approve published versions | No | No | Yes | No | No |
Assigning Template Roles
Section titled “Assigning Template Roles”- Navigate to the template.
- Open the Roles tab.
- Click Add Team Member.
- Select the user and the desired role.
- Click Assign.
Instance Roles (5 Roles)
Section titled “Instance Roles (5 Roles)”Instance roles are assigned per instance and control what a user can do during the instance lifecycle.
| Role | Description | Edit Properties | Execute Steps | Force Actions | Manage Team |
|---|---|---|---|---|---|
| Instance Head | Full instance control | Draft/Planned | Yes | Yes | Yes |
| Deputy Head | Nearly full control | Draft/Planned | Yes | Yes | Partial |
| Editor | Edit notes and drafts | Draft only | No | No | No |
| Executor | Execute steps | No | Yes | No | No |
| Observer | Read-only with comments | No | No | No | No |
Assigning Instance Roles
Section titled “Assigning Instance Roles”- Navigate to the instance.
- Open the Team tab.
- Click Add Team Member.
- Search for the user in the member search dialog.
- Select the role.
- Click Assign.
Force Actions
Section titled “Force Actions”Force actions are powerful operations reserved for Instance Head and Deputy Head roles. They allow overriding the normal step workflow.
| Action | Description |
|---|---|
| Force Complete (F-OK) | Force a step to completed status regardless of its current state |
| Force Skip (F-SKIP) | Force a step to be skipped |
| Force Abort (F-ABORT) | Force a step to be aborted |
| Force Cancel | Force cancel the entire instance |
System Roles (2 Roles)
Section titled “System Roles (2 Roles)”System roles are assigned per system and control management and coordination.
| Role | Description |
|---|---|
| Coordinator | System-scoped coordination. Automatically receives Template Viewer and Instance Observer for all items in the system. Can edit release planning. |
| Deputy Coordinator | Same permissions as Coordinator (supports organizational hierarchy). |
Coordinators and Deputy Coordinators automatically gain visibility into all templates and instances associated with their system, without needing explicit template or instance role assignments.
Permission Hierarchy
Section titled “Permission Hierarchy”How Permissions Are Resolved
Section titled “How Permissions Are Resolved”RAMP evaluates permissions in the following order:
- SuperUser check — SuperUser bypasses most permission checks (except read-only objects and force actions).
- Global role check — global roles are checked before entity-specific assignments.
- Entity role check — template, instance, or system-specific roles are evaluated.
- Group role inheritance — roles inherited through group membership are included.
- Most permissive wins — when a user has multiple roles, the most permissive role determines access.
Combining Roles
Section titled “Combining Roles”When a user has both global roles and entity-specific roles, the most permissive applies:
| Global Role | Entity Role | Effective Permission |
|---|---|---|
| GlobalTemplateViewer | Template Owner on Template A | Viewer on all templates, Owner on Template A |
| GlobalTemplateEditor | Template Viewer on Template B | Editor on all templates (including B) |
| GlobalInstanceObserver | Instance Head on Instance X | Observer on all instances, Head on Instance X |
| (none) | Template Editor on Template C | Editor on Template C only |
Special Rules
Section titled “Special Rules”- Administrator content block — Administrator alone cannot access content. Combine with content roles for access.
- TenantAdministrator isolation — TenantAdministrator has no access to any tenant content. This is enforced at the authorization level.
- Read-only objects — Completed and Cancelled instances are immutable. Even SuperUser cannot edit them.
- Last owner protection — the last Template Owner or Instance Head cannot be removed. At least one must always remain.
Feature Permission Matrix
Section titled “Feature Permission Matrix”Template Actions
Section titled “Template Actions”| Action | SuperUser | Admin | GlobalTemplateOwner | GlobalTemplateEditor | GlobalTemplateViewer | TemplateOwner | TemplateEditor | TemplateViewer |
|---|---|---|---|---|---|---|---|---|
| View | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
| Create | Yes | No | Yes | Yes | No | — | — | — |
| Edit settings | Yes | No | Yes | Yes | No | Yes | No | No |
| Create version | Yes | No | Yes | Yes | No | Yes | Yes | No |
| Publish version | Yes | No | Yes | Yes | No | Yes | No | No |
| Approve version | Yes | No | Yes | No | No | Yes | No | No |
| Delete | Yes | No | Yes | No | No | Yes | No | No |
| Assign roles | Yes | No | Yes | No | No | Yes | No | No |
Instance Actions
Section titled “Instance Actions”| Action | SuperUser | GlobalInstanceHead | GlobalInstanceDeputyHead | InstanceHead | DeputyHead | Editor | Executor | Observer |
|---|---|---|---|---|---|---|---|---|
| View | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Edit (Draft) | Yes | Yes | Yes | Yes | Yes | Yes | No | No |
| Set Planned | Yes | Yes | Yes | Yes | Yes | No | No | No |
| Start (Running) | Yes | Yes | Yes | Yes | Yes | No | Yes | No |
| Pause | Yes | Yes | Yes | Yes | Yes | No | No | No |
| Complete | Yes | Yes | Yes | Yes | Yes | No | No | No |
| Cancel | Yes | Yes | No | Yes | No | No | No | No |
| Force actions | No | Yes | Yes | Yes | Yes | No | No | No |
| Execute steps | Yes | Yes | Yes | Yes | Yes | No | Yes | No |
| Assign team | Yes | Yes | No | Yes | Partial | No | No | No |
Auditing Role Changes
Section titled “Auditing Role Changes”All role assignments and removals are logged in the audit trail:
- Template roles — visible in the template’s History tab
- Instance roles — visible in the instance’s History tab
- Application roles — visible in the Tenant Admin Audit Log
Best Practices
Section titled “Best Practices”- Least privilege — assign the minimum role needed. Start with Viewer or Observer, promote as needed.
- Use groups — assign roles to groups rather than individuals for easier management.
- Multiple owners — assign at least two Template Owners per template and two Instance Heads per instance for redundancy.
- Regular audits — review role assignments quarterly. Remove roles from departed or reassigned staff.
- Limit SuperUser — restrict SuperUser to fewer than five users. Use global roles for broader access instead.
- Separate Administrator from content — keep the Administrator role for system management. Assign content roles explicitly where needed.
Related topics
Section titled “Related topics” Members Manage tenant members, invite users, and assign application-level roles
Groups Create and manage groups for organizing users and simplifying role assignments