Roles & Permissions
Core Concepts
NOB.center uses module-scoped roles. Each user is assigned a predefined role independently for each module they have access to. A user might be a Viewer in CT-Log but have full Editor rights in DNS Monitoring.
How permissions work
When an admin invites a user, they select which modules the user should have access to, and for each module they pick one of the predefined roles listed below. The UI automatically hides or disables controls the user does not have permission to use. The API enforces the same rules server-side — a missing permission always returns HTTP 403.
Note
The signup user of an organization automatically receives Administrator access to all modules and all monitoring modules as Editor. This cannot be revoked.
Predefined roles
CT Log CT-Log roles
| Role |
Included permissions |
| Viewer |
view_certificates, view_filters, view_rules, view_alerts, view_templates |
| Editor |
All Viewer permissions + create_filters, update_filters, delete_filters, create_rules, update_rules, delete_rules, create_templates, update_templates, delete_templates |
DNS DNS-Watcher roles
| Role |
Included permissions |
| Viewer |
view_domains, view_records, view_history, view_rules, view_alerts, view_templates |
| Editor |
All Viewer permissions + create_domains, update_domains, delete_domains, create_records, update_records, delete_records, create_rules, update_rules, delete_rules, create_templates, update_templates, delete_templates |
RDAP RDAP roles
| Role |
Included permissions |
| Viewer |
view_whois_records, view_rules, view_alerts, view_templates |
| Editor |
All Viewer permissions + create_monitors, update_monitors, delete_monitors, create_rules, update_rules, delete_rules, create_templates, update_templates, delete_templates |
Cert Certificate-Watcher roles
| Role |
Included permissions |
| Viewer |
view_certificates, view_targets, view_history, view_rules, view_alerts, view_templates |
| Editor |
All Viewer permissions + create_certificates, update_certificates, delete_certificates, create_targets, update_targets, delete_targets, create_rules, update_rules, delete_rules, create_templates, update_templates, delete_templates |
Administration roles
| Role |
Included permissions |
| Member |
view_users |
| Billing Manager |
view_subscription, manage_subscription |
| Administrator |
view_users, manage_users, manage_permissions, view_audit_logs, view_subscription, manage_subscription |
API Token roles
| Role |
Included permissions |
| Token Manager |
view_own_tokens, create_tokens, delete_tokens |
| Token Admin |
All Token Manager permissions + view_all_tokens, revoke_all_tokens |
Permission reference
All individual permission names are listed below. These are the same permissions that can be granted individually to API tokens when you need finer-grained access control than the predefined roles provide.
CT-Log permissions
| Permission |
What it allows |
view_certificates |
View certificate matches in the CT-Log feed |
view_filters |
View the list of domain filters |
create_filters |
Add new domain filters |
update_filters |
Edit existing filters (pattern, match type, enabled state) |
delete_filters |
Delete filters |
view_rules |
View alert rules |
create_rules |
Create new alert rules |
update_rules |
Edit existing alert rules |
delete_rules |
Delete alert rules |
view_templates |
View alert templates |
create_templates |
Create new alert templates |
update_templates |
Edit existing alert templates |
delete_templates |
Delete alert templates |
view_alerts |
View alert history |
DNS-Watcher permissions
| Permission |
What it allows |
view_domains |
View monitored domains and recent changes |
create_domains |
Add new domains to monitoring |
update_domains |
Edit domain settings (notes, auto-discover) |
delete_domains |
Remove domains from monitoring |
view_records |
View monitored DNS records for a domain |
create_records |
Add DNS records to monitor |
update_records |
Enable or disable individual DNS records |
delete_records |
Remove DNS records from monitoring |
view_history |
Access DNS snapshot history and diffs |
view_rules / create_rules / update_rules / delete_rules |
Alert rule management |
view_templates / create_templates / update_templates / delete_templates |
Alert template management |
view_alerts |
View alert history |
RDAP permissions
| Permission |
What it allows |
view_whois_records |
View monitored domains, snapshots, history, and diffs |
create_monitors |
Add domains to RDAP monitoring |
update_monitors |
Edit monitor settings (notes, enabled state) |
delete_monitors |
Remove domains from RDAP monitoring |
view_rules / create_rules / update_rules / delete_rules |
Alert rule management |
view_templates / create_templates / update_templates / delete_templates |
Alert template management |
view_alerts |
View alert history |
Certificate-Watcher permissions
| Permission |
What it allows |
view_certificates |
View certificate monitors and scan results |
create_certificates |
Create new certificate monitors |
update_certificates |
Edit monitors or toggle enable/disable |
delete_certificates |
Delete certificate monitors |
view_targets |
View IP targets attached to a monitor |
create_targets |
Add IP targets |
update_targets |
Modify targets |
delete_targets |
Remove targets |
view_history |
Access certificate scan history and diffs |
view_rules / create_rules / update_rules / delete_rules |
Alert rule management |
view_templates / create_templates / update_templates / delete_templates |
Alert template management |
view_alerts |
View alert history |
Administration permissions
| Permission |
What it allows |
view_users |
See the list of users in the organization |
manage_users |
Invite, edit, and remove users |
view_audit_logs |
Access the audit log |
manage_permissions |
Change user role assignments |
Billing permissions
| Permission |
What it allows |
view_subscription |
View current subscription status and tier |
manage_subscription |
Upgrade, downgrade, or cancel subscription |
API Token permissions
| Permission |
What it allows |
view_own_tokens |
List your own API tokens |
create_tokens |
Generate new API tokens |
delete_tokens |
Revoke your own tokens |
view_all_tokens |
View all tokens in the organization |
revoke_all_tokens |
Revoke any token in the organization |
Module access
A user must be assigned at least one role in a module to see that module's navigation entry. If no role is granted for a module, it is hidden entirely in the sidebar.
Roles are assigned at invite time and can be changed by an Administrator from Administration → Users.