Roles & Access
Veriva has three org-level roles: OWNER, ADMIN, and MEMBER. Roles gate write actions on policies, hooks, billing, and tenant admin surfaces. Every member is counted as a seat regardless of role.
Default assignments
The person who installs the GitHub App becomes
OWNER. Subsequent invites default to MEMBER; only OWNER or ADMIN can promote.Capability matrix
| Action | Owner | Admin | Member |
|---|---|---|---|
| View dashboard, PRs, findings | ✓ | ✓ | ✓ |
| Dismiss findings, mark false-positive | ✓ | ✓ | ✓ |
| Apply auto-fix suggestions | ✓ | ✓ | ✓ |
| Edit merge policy | ✓ | ✓ | — |
| Edit customer hooks | ✓ | ✓ | — |
| Register / revoke agent identities | ✓ | ✓ | — |
| Invite / remove members | ✓ | ✓ | — |
| Change roles | ✓ | — | — |
| Generate / revoke API keys | ✓ | — | — |
| Change plan, manage billing | ✓ | — | — |
| Delete organization | ✓ | — | — |
| Enforce MFA | ✓ | — | — |
MFA enforcement
Any OWNER can turn on Require MFA from /dashboard/settings/account. When enforced, all members must enroll a TOTP authenticator within 30 days or lose dashboard access. Recovery codes are issued at enrollment — store them somewhere durable.
- OWNERs can grant a 72-hour grace override for a specific member.
- API keys are not subject to MFA but can be revoked by an OWNER at any time.
- MFA status shows in the dashboard status badges row.
Tenant boundaries
Every read and write is scoped to the acting user's org via PostgreSQL row-level security (veriva_app role with app.current_org_id session variable). You cannot see another org's PRs, findings, hooks, or logs under any role.
Audit surfaces
- Org audit log —
/dashboard/settings/audit(OWNER + ADMIN). Every write action within the org with CSV export. - Platform audit log —
/admin/audit(super-admin only). Cross-org activity.