Roles and permissions
Owner, admin, SOC lead, analyst, viewer and auditor — enforced at the database.
Last updated 2/7/2026
SOCPilot uses six roles, enforced via row-level security in the database (not in the client).
Roles
- Owner — full control, including billing, security policies and disconnect
- Admin — can manage integrations, members, security and developer settings
- SOC Lead — can approve response actions, manage suppression rules and assign cases
- Analyst — can triage alerts, work investigations, generate briefs
- Viewer — read-only access to alerts, investigations and briefs (no approvals, no exports)
- Auditor — read-only access to compliance evidence packs and audit log
How roles are enforced
- Roles live in a dedicated user_roles table — never on the user or profile object
- A SECURITY DEFINER
has_role()function is the single point of role evaluation - All RLS policies call
has_role()— application code cannot bypass it
Workspace membership
Roles are scoped per organization. A user may have different roles in different workspaces (typical for MSSPs).
Related articles