Supported permissions by roles reference¶

The following table lists the roles, their related audience and supported permissions by category.

Company Admin role¶

Audience: DevOps Manager, IT Administrator, or Engineering Ops leader.

Manages company-wide settings, users, environments, integrations, and most administrative features. Cannot manage critical system-wide or Security settings reserved for internal Lightrun admins, such as server configuration, feature flags, core platform.

Category	Operation	Permission
Company Config	View account settings	W/R
	Configure user authentication and provisioning	W/R
	Create, edit, and delete users (SCIM not enabled)	W/R
	Create and manage API Keys	W/R
	Create and manage webhooks	W/R
	Configure connectivity settings (SMTP only)	W/R
	Connect, update, and disconnect external systems via integrations	W/R
	Modify core service parameters	W/R
	Configure Autonomous Debugger global settings	W/R
	Configure server logs (level and sanitization)	W/R
	Configure plugin logs (level and sanitization)	W/R
	Configure agent logs (level and sanitization)	W/R
	Fetch server diagnostics	W/R
	Fetch plugin diagnostics	W/R
Security	View/export audit events	W/R
	Create and update PII redaction patterns	W/R
	Create and manage blocklists	W/R
Environment	View usage dashboards	W/R
	Create and manage agent pools	W/R
	Download agent diagnostics	R
	Create and manage user groups	W/R
	Grant users temporary access to agent pools	W/R
	View and delete tags	W/R
	Create and view custom sources	W/R
	View registered agents and their status	W/R
	View actions and their details	W/R
AppSec	Configure package monitoring	W/R
	Configure and view SBOMs	W/R
	Manage package enrichment features	W/R
Debugging Runbooks	Create and manage cases (including running Debug Runbooks)	W/R
	Upload a configuration file	W/R
	View Case results	W/R

Company Viewer role¶

Audience: Engineering Manager, Compliance Auditor, or Business Stakeholder
Access Level: Read-only access to all company-level information, dashboards, and configurations.
Restrictions: Cannot modify settings or manage users.

Category	Operation	Permission
Company Config	View account settings	R
	Configure user authentication and provisioning	R
	Create, edit, and delete users (SCIM not enabled)	R
	Create and manage API Keys	R
	Create and manage webhooks	R
	Configure connectivity settings (SMTP only)	R
	Connect, update, and disconnect external systems via integrations	R
	Modify core service parameters	R
	Configure Autonomous Debugger global settings	R
	Configure server logs (level and sanitization)	R
	Configure agent logs (level and sanitization)	R
	Fetch server diagnostics	R
	Fetch plugin diagnostics	R
Security	View/export audit events	R
	Create and update PII redaction patterns	R
	Create and manage blocklists	R
Environment	View usage dashboards	R
	Create and manage agent pools	R
	Create and manage user groups	R
	Grant users temporary access to agent pools	R
	View and delete tags	R
	Create and view custom sources	R
	View registered agents and their status	R
AppSec	Configure package monitoring	R
	Configure and view SBOMs	R
	Manage package enrichment features	R
Debugging Runbooks	Upload a configuration file	R

Group Admin role¶

Audience: Team Lead, Project Manager, or delegated DevOps supporting a specific department, project, or operational Environment.

Manages user groups and their access to assigned agent pools and resources within their scope. Cannot manage company/global settings.

Category	Operation	Permission
Security	Create and update PII redaction patterns	R
	Create and manage blocklists	R
Environment	View usage dashboards	R
	Create and manage agent pools	W/R
	Download agent diagnostics	R
	Create and manage user groups	W/R
	Grant users temporary access to agent pools	W/R
	View and delete tags	W/R
	Create and view custom sources	W/R
	View registered agents and their status	W/R
Debugging Runbooks	View Case results	R

Developer role¶

Audience: Software Engineer, SRE, or QA working on applications and services instrumented by Lightrun.

Can use Lightrun to debug code, add actions, view logs, and interact with runtime environments as permitted. No access to admin settings or sensitive configuration.

Category	Operation	Permission
Security	Create and update PII redaction patterns	R
	Create and manage blocklists	R
Environment	Create and manage user groups	R
	Grant users temporary access to agent pools	R
	Create and view custom sources	R
	View registered agents and their status	W/R
	View actions and their details	W/R
Debugging Runbooks	View Case results	R

Security role¶

Audience: Team Lead, Security Engineer, Application Security Specialist, or Compliance Officer overseeing Security best practices and regulatory requirements.

Can configure and enforce Security controls — such as managing API keys, PII redaction, audit logs, and block lists. Focused on keeping data and operations secure.

Category	Operation	Permission
Security	View/export audit events	W/R
	Create and update PII redaction patterns	W/R
	Create and manage blocklists	W/R

AppSec role¶

Audience: AppSec Specialist, DevSecOps, Technical Lead for software supply chain.

Manages application security features: SBOM, package monitoring, and enrichment. Controls app-level security functions.

Category	Operation	Permission
AppSec	Configure package monitoring	W/R
	Configure and view SBOMs	W/R
	Manage package enrichment features	W/R

Incident Responder role¶

Audience: Site Reliability Engineer (SRE), NOC Operator, or Incident Response Lead.

Handles incidents: manages and resolves cases, configures debugging runbooks, and reviews case results. No access to deep admin or system settings.

Category	Operation	Permission
Debugging Runbooks	Create and manage cases (including running Debug Runbooks)	W/R
	View Case results	R

Last update: October 22, 2025