Permissions
Role-based access control with granular repository, organization, and team permissions.
Drok's permission system is role-based, hierarchical, and auditable. Every action on the platform — from reading a file to deleting an organization — is governed by a permission that can be traced to a specific role assignment.
Organization Roles
| Role | Description |
|---|---|
| Owner | Full administrative control over the organization |
| Admin | Manage teams, repositories, and organization settings. Cannot delete the organization or manage billing. |
| Member | Default role. Access repositories and teams per their specific permissions. |
| Billing Manager | Manage subscription and payment. No code access. |
Assigning Roles
drok org set-role my-org @alice --role adminRepository Permissions
Repository access is granted through direct assignment or team membership:
| Permission | Clone | Push | Issues | MR Merge | Settings | Admin |
|---|---|---|---|---|---|---|
| Read | Yes | No | View | View | No | No |
| Triage | Yes | No | Manage | Manage (no merge) | No | No |
| Write | Yes | Yes (non-protected) | Manage | Merge (with approval) | No | No |
| Maintain | Yes | Yes | Manage | Merge | Limited | No |
| Admin | Yes | Yes | Manage | Merge | Full | Yes |
Direct Assignment
drok repo add-collaborator my-org/my-repo @alice --permission writeThrough Teams
drok team add-repo my-org/backend my-org/my-repo --permission writeWhen a user has multiple permission grants (e.g., through multiple teams, or direct + team), the highest permission level applies.
Branch-Level Permissions
Fine-grained permissions can be applied at the branch level through branch protection rules. See Branch Protection for details.
Permission Inheritance
Permission inheritance follows this hierarchy:
- Organization role — Sets the baseline for all repositories in the organization
- Team membership — Grants additional access to repositories assigned to the team
- Direct repository assignment — Grants access to a specific repository
- Branch protection rules — Restricts actions on specific branches regardless of repository permission
Higher-level permissions do not override branch protection rules. An organization owner with admin access to a repository is still subject to branch protection requirements (required reviews, status checks) unless explicitly exempted.
Custom Roles (Enterprise)
Enterprise organizations can define custom roles with specific permission sets:
drok role create my-org/release-manager \
--permissions repo:read,repo:write,tag:create,release:create,release:edit \
--description "Can manage releases and tags"Custom roles can be assigned to users and teams:
drok org set-role my-org @alice --role release-managerAPI Scopes
Personal access tokens use scoped permissions:
| Scope | Access |
|---|---|
repo:read | Read repository content |
repo:write | Push to repositories |
repo:admin | Repository administration |
org:read | Read organization info |
org:admin | Organization administration |
package:read | Read packages |
package:write | Publish packages |
user:read | Read user profile |
user:write | Modify user profile |
audit:read | Read audit logs |
Creating Tokens
drok token create --name "ci-deploy" --scopes repo:read,package:write --expiry 90dTokens can be scoped to specific repositories:
drok token create --name "repo-specific" --scopes repo:write --repos my-org/my-repoAuditing
Every permission change is recorded in the organization audit log:
drok audit-log my-org --filter "action:permission.*"See Audit Log for details.