Roles Overview
NOFire AI provides four user roles, listed from least to most privileged:| Role | Description |
|---|---|
| Viewer | Read-only access to view resources and investigations |
| Engineer | Can create and manage investigations and chat threads |
| Admin | Can configure integrations, settings, and Slack |
| Owner | Full control including user management and API keys |
Permission Matrix
The table below shows what each role can do:| Resource | Viewer | Engineer | Admin | Owner |
|---|---|---|---|---|
| Account | View | View | View | View, Edit, Delete |
| Users | View, List | View, List | View, List | Full Control |
| API Keys | — | — | — | Full Control |
| Investigations | View, List | Full Control | Full Control | Full Control |
| Entities | View, List | View, List | View, List | View, List |
| Change Events | View, List | View, List | View, List | View, List |
| Connections | View, List | View, List | Full Control | Full Control |
| Settings | View | View | View, Edit | View, Edit |
| Slack | — | — | Full Control | Full Control |
| Chat Threads | View, List | Full Control | Full Control | Full Control |
| Audit Logs | — | — | — | View, List |
Full Control includes view, list, create, edit, and delete permissions for that resource.
Role Descriptions
Viewer
Best for stakeholders who need visibility without making changes.- View dashboards, investigations, and entities
- List resources across the platform
- Cannot create, edit, or delete anything
Engineer
The default role for team members who actively use NOFire AI.- Everything a Viewer can do
- Create and manage investigations
- Use chat threads for incident analysis
- Cannot modify integrations or settings
Admin
For team leads who manage integrations and platform configuration.- Everything an Engineer can do
- Configure and manage integrations (connections)
- Modify platform settings
- Manage Slack integration
Owner
Reserved for account administrators with full platform control.- Everything an Admin can do
- Invite, remove, and manage users
- Create and revoke API keys
- Access audit logs
- Delete the account
Every account must have at least one Owner. The user who creates the account is automatically assigned the Owner role.
API Key Permissions
API keys have separate permission sets based on their type:| Key Type | Permissions |
|---|---|
| Edge | Entities: view, list, create, edit |
| MCP | Entities, Investigations, Change Events: view, list |
Managing Roles
To change a user’s role:- Go to Account Settings → Users
- Find the user in the list
- Select their new role from the dropdown
- Changes take effect immediately
Only Owners can change user roles. Role changes are logged in the audit trail.
Best Practices
Follow least privilege: Assign the minimum role needed for each user’s responsibilities. Most team members only need the Engineer role. Limit Owner access: Keep the number of Owners small. One or two per organization is typically sufficient. Use API keys appropriately: Choose the correct key type based on your integration needs. Edge keys for data ingestion, MCP keys for read-only integrations. Review roles regularly: Periodically audit user roles to ensure they still match responsibilities, especially after team changes.For questions about RBAC configuration, contact [email protected].