Security
Manage team roles and permissions
StackBlaze uses a four-tier role hierarchy, Owner, Admin, Developer, Viewer: to give you precise control over what each team member can do. Roles cascade downward: an Admin can do everything a Developer can, plus more.
Invitations are sent by email and expire after 48 hours. Access changes take effect instantly. Kubernetes RBAC is never exposed to your team, StackBlaze maintains its own permission layer and maps it internally to Kubernetes service accounts.
Role hierarchy
Permissions matrix
| Action | Owner | Admin | Developer | Viewer |
|---|---|---|---|---|
| Deploy services | ✓ | ✓ | ✓ | - |
| Scale services | ✓ | ✓ | ✓ | - |
| View logs | ✓ | ✓ | ✓ | ✓ |
| Manage env vars | ✓ | ✓ | ✓ | - |
| Invite members | ✓ | ✓ | - | - |
| Change roles | ✓ | ✓ | - | - |
| Delete services | ✓ | ✓ | - | - |
| Manage billing | ✓ | - | - | - |
| Delete project | ✓ | - | - | - |
Invite email preview
From: noreply@stackblaze.com
To: alice@acmecorp.com
You've been invited to join acme-production
Bob Smith has invited you to join the acme-production project on StackBlaze as a Developer. This invitation expires in 48 hours.
Or copy this link: https://app.stackblaze.cloud/invite/xK9mP2qRv...
Under the hood
- StackBlaze RBAC, not Kubernetes RBAC: StackBlaze runs its own permission layer in front of the Kubernetes API. Users never interact with Kubernetes directly. Internally, each project maps to a set of Kubernetes service accounts, but this is completely opaque to your team.
- Instant revocation: removing a member invalidates their session tokens within seconds. The platform uses short-lived JWTs (15-minute expiry) backed by a token-revocation list, so access genuinely disappears fast.
- Audit log: every permission change, invitation, and role update is written to the project's immutable audit log, accessible from Project → Audit. Owner-level access is required to read audit logs.
- Invitation tokens: invite links contain a signed, time-limited token (HMAC-SHA256, 48-hour TTL). Once accepted, the token is consumed and cannot be reused. Expired invitations must be re-sent.
Step by step
Go to Project → Team
In the left sidebar, select your project and click "Team" in the settings section. You'll see a list of all current members, their roles, and the date they joined.
Click "Invite member"
Click the "Invite member" button in the top-right of the Team page. A modal will appear with an email field and a role selector.
Enter email and select a role
Type the invitee's email address and choose the appropriate role, Owner, Admin, Developer, or Viewer. Read the permissions summary carefully; you can always change a member's role later. Invitations expire after 48 hours.
Member accepts the invite
The invitee receives an email with a secure one-time link. Clicking it adds them to your project with the assigned role. If they don't have a StackBlaze account, they're prompted to create one first.
Adjust roles any time
On the Team page, click the role badge next to any member to open a dropdown and change their role. The change takes effect immediately. Removing a member revokes their access instantly, in-flight API calls with their tokens will start failing within seconds.