Access Policy Matrix
Policy baseline for MVP demos and client-facing operations.
| Role | View | Operate | Destructive | Notes |
|---|---|---|---|---|
| Viewer | Read dashboards/status/logs | No | No | Safe read-only mode for stakeholders. |
| Operator | Full read access | Run jobs, assign tasks, start/stop loops | Limited | Intended for daily operations and agent supervision. |
| Admin | Full read access | All operator actions | Yes | Token/session controls, deploy-capable actions, security changes. |
Node permissions
- Node jobs are scoped by assigned node id and task zone guardrails.
- Node bearer token is required unless legacy mode is explicitly enabled.
- Revoking a node token forces re-registration with a fresh bearer token.
- Deploy actions should run only from approved operator/admin contexts.