Access in Keydris is governed by per-organization roles. Each member holds a role, and that role determines which surfaces they see and which actions they can take. The navigation only shows what a role can access, and the API enforces every action regardless of the UI, so hiding a screen is never the only safeguard.
System roles
| Role | Access |
|---|
| Admin | Full access to every resource and setting. |
| User | Day-to-day operator access, minus organization and member administration. |
| Management | Reserved role. No permissions granted yet. |
| Accounting | Reserved role. No permissions granted yet. |
Permissions
Permissions are grouped by area:
| Group | Permission | What it grants |
|---|
| Organization | Manage organization | Create, rename, and archive organizations. |
| Organization | Manage members | Invite members and change their roles. |
| Agents | Manage agents | Create, edit, and revoke autonomous agents. |
| Agents | View agents | Browse the agent directory and details. |
| Policies | Manage policies | Author and version policies. |
| Policies | View policies | Read policy definitions and version history. |
| Payments | Manage payment instruments | Add or remove stored payment instruments. |
| Payments | View payment instruments | View stored payment instruments. |
| Audit | View decisions | Inspect authorization allow and reject decisions. |
| Audit | View audit log | Read the tamper-evident audit trail. |
If you cannot see a page or setting, your role likely does not include the matching permission. Ask an organization Admin to update your role.
