Roles and permissions

NovaVMS has five roles. This page lists every capability each role has.

The five roles

• Owner — one per org. Billing, transfer-ownership, org deletion, NovaVMS Support toggle.
• Admin — org-wide governance. Users, roles, audit log, LLM model, secrets.
• Operator — org-wide operations. Cameras, gateways, alert rules, prompt packs.
• Viewer — site-scoped read. Live streams and events at assigned sites only.
• Platform admin — cross-org via 30-minute scoped impersonation. Novalien staff only.

Capability matrix

Capability	Owner	Admin	Operator	Viewer	Platform admin
Governance — identity, secrets, compliance
Create / edit / disable users	yes	yes	no	no	yes (impersonated)
Change a user’s role	yes	yes¹	no	no	yes¹ (impersonated)
Reset another user’s password	yes	yes	no	no	yes (impersonated)
Manage user’s site access	yes	yes	no	no	yes (impersonated)
View / revoke sessions	yes	yes	no	no	yes (impersonated)
View the org audit log	yes	yes	no	no	yes (impersonated)
Sites CRUD	yes	yes	no	no	yes (impersonated)
Organization settings (name, password policy)	yes	yes	no	no	yes (impersonated)
LLM model selection (provider, API key, cost caps)	yes	yes	no	no	yes (impersonated)
Webhook secret view / rotation	yes	yes	no	no	yes (impersonated)
Create / revoke service account API keys	yes	yes	no	no	yes (impersonated)
Operations — devices, rules, tuning
Gateways: pair / rename / delete	yes	yes	yes	no	yes (impersonated)
Cameras CRUD + stream config	yes	yes	yes	no	yes (impersonated)
Manual record clip (trigger button)	yes	yes	yes	no	yes (impersonated)
Alert rules CRUD	yes	yes	yes	no	yes (impersonated)
Webhook definition CRUD (URL, events, name)	yes	yes	yes	no	yes (impersonated)
Prompt packs (content + per-camera assignment)	yes	yes	yes	no	yes (impersonated)
Grids CRUD	yes	yes	yes²	no	yes (impersonated)
Event acknowledge / star / notes / chat	yes	yes	yes	no	yes (impersonated)
Read / self-service
View live streams and events	org-wide	org-wide	org-wide	site-scoped	org-wide (impersonated)
View dashboard	org-wide	org-wide	org-wide	site-scoped	org-wide (impersonated)
Edit own profile and notifications	yes	yes	yes	yes	n/a
Change own password	yes	yes	yes	yes	n/a
Owner-only
Transfer ownership	yes	no	no	no	no³
View billing / invoices	yes	no	no	no	no³
Delete the organization	yes	no	no	no	no³ (uses platform-tier endpoint instead)
Toggle “Allow NovaVMS Support Access”	yes	no	no	no	no³
Platform-only
Provision a new customer org	no	no	no	no	yes
Start scoped impersonation into an org	no	no	no	no	yes
View platform audit log	no	no	no	no	yes

¹ Admin role-changes limited to viewer <-> operator <-> admin. Cannot promote to owner. Cannot demote the current owner. Last admin cannot be demoted. ² Operators can edit and delete only grids they created. Admins and owners can edit any grid. ³ Platform impersonation always mints an admin role token. Owner-only endpoints reject any request carrying an impersonation_id.

Role containment

owner ⊃ admin ⊃ operator ⊃ viewer. Each role has every capability of every role below it, plus its own. Platform admin is cross-org via scoped impersonation — see Five-role RBAC.

Where each role’s UI lives

Sidebar section	Route prefix	Roles that see it
Live, Events, Dashboard	/, /live, /events	All roles (viewers site-scoped)
Cameras, Gateways, Alert Rules, Prompt Packs, Grids, Webhook Definitions	/cameras, /gateways, /alerts/rules, /settings/prompt-packs, /grids, /settings/webhooks	Operator, Admin, Owner
Users, Sites, Audit Log, Org Settings, AI Model, Webhook Secrets, API Keys	/admin/*, /settings/ai/model, /admin/service-accounts	Admin, Owner
Billing, Transfer Ownership, Danger Zone	/owner/*, /settings (billing tab)	Owner only
Platform console, Impersonation, Platform audit	/platform/*	Platform admin only

Frontend hides sections the user cannot access. The backend independently rejects with 403 on direct URL access.

Related

• Five-role RBAC — why we split governance and operations
• Audit actions — what each role’s actions look like in the log