You may restrict what actions each member of your account may take with Role
Based Access Control (RBAC). RBAC may applied to both Users and it may also be
applied to an Invitation when inviting a collaborator to
join your ngrok account.You may configure RBAC from the team members
page of the dashboard.
All Users on your account have a Developer, Team and Billing role. Users may
optionally be assigned as an administrator which gives them full account
control.
The Developer role controls whether a user may create, modify or
delete objects like Domains, TCP Addresses, Edges, Log Destinations,
Authtokens, API Keys, etc. There are two possible values:Read/Write: A user can create, modify and delete any developer feature on
the account. This does not include team management, billing, or account
settings.Read-only: A user can view but NOT create, modify or delete developer
features on the account. It is important to note that users with a read-only
developer role can still see their personal authtoken and use the ngrok agent
to create endpoints for applications.
The Team role controls whether a user may invite, remove and manage other team
members. There are three possible values:Manager: A user that can invite and remove other users from the account.
They can also modify other users’ RBAC settings. They cannot modify or remove
Administrators.Invite-only: A user can see other members of the account and invite new
teammates to join the account. They cannot remove other account members or
modify the privilege levels of other users.Read-only: A user can see other members of the account but cannot manage or
invite other users.
The Billing role controls whether a user may update the account’s billing
details and subscription plan. There are two possible values:Billing access: A user may change the subscription plan, payment method,
billing address and other details. Users with this permission may also view
billing history.No billing access: A user may not view or modify any billing details.
Users with the Administrator role may take all actions within an account.
It is the only role that grants access to configure Account settings like SSO
and SCIM. Administrators may remove other administrators from the account.Accounts must always have at least one administrator.
In addition to RBAC controls, you may further scope the capabilities of what an
Authtoken or SSH Public Key credential may do within your account by using
ACLs. For instance you may restrict what endpoints a
credential may listen on with ACLs.
