User Roles and Permissions
Quave ONE uses role-based access control (RBAC) at the account level. Each member of an account can hold one or more roles, and each role grants specific capabilities.
Overview
When you create an account you automatically receive all available roles. You can then invite other members and assign any combination of roles to each person.
Roles are stored per account, so the same user can have different roles in different accounts.
Available Roles
| Role | Description |
|---|---|
| Admin | Full control over account settings, and secrets. |
| Technical | Intended for team members involved in technical operations. |
| Billing | Receives billing-related email notifications such as payment failures, invoice reminders, and savings plan updates. |
| Pod Access | Allows opening terminal (exec) sessions inside running containers. |
| Manage Members | Allows inviting new members, updating roles, and removing members from the account. |
| Audit | Allows viewing the account activity log with all user actions. |
Managing Roles
To manage roles for account members:
- Go to your account Members page
- Click the role badges next to a members name
- Add or remove roles as needed
Role changes take effect immediately. When Admin is added or removed, an email notification is sent to the affected member.
Make sure at least one member retains the Admin role. Removing Admin from all members would lock everyone out of account management.
Environment-Level Access
Beyond roles, you can restrict which environments each member can see and interact with. This is an opt-in feature that admins enable on the Members page. Once enabled, you can assign specific environments to each member — members with restricted access only see their assigned environments across the dashboard, API, CLI, and MCP tools.
For full details, see Per-Environment Member Access.