Access Control
Supabase provides granular access controls to manage permissions across your organizations and projects.
For each organization and project, a member can have one of the following roles:
- Owner: full access to everything in organization and project resources.
- Administrator: full access to everything in organization and project resources except updating organization settings, transferring projects outside of the organization, and adding new owners.
- Developer: read-only access to organization resources and content access to project resources but cannot change any project settings.
- Read-Only: read-only access to organization and project resources.
Read-Only role is only available on the Team and Enterprise plans.
When you first create an account, a default organization is created for you and you'll be assigned as the Owner. Any organizations you create will assign you as Owner as well.
Manage organization members
To invite others to collaborate, visit your organization's team settings to send an invite link to another user's email. The invite is valid for 24 hours.
Invites sent from a SAML SSO account can only be accepted by another SAML SSO account from the same identity provider.
This is a security measure to prevent accidental invites to accounts not managed by your enterprise's identity provider.
Transferring ownership of an organization
Each Supabase organization must have at least one owner. If your organization has other owners then you can relinquish ownership and leave the organization by clicking Leave team in your organization's team settings.
Otherwise, you'll need to invite a user as Owner, and they need to accept the invitation, or promote an existing organization member to Owner before you can leave the organization.
Organization permissions across roles
The table below shows the corresponding organization permissions, by resource and action, for each available role you can assign an organization member in Studio.
| Resource | Action | Owner | Administrator | Developer | Read-Only1 |
|---|---|---|---|---|---|
| Organization | |||||
| Organization Management | Update | ||||
| Delete | |||||
| Members | |||||
| Organization Members | List | ||||
| Owner | Add | ||||
| Remove | |||||
| Administrator | Add | ||||
| Remove | |||||
| Developer | Add | ||||
| Remove | |||||
| Owner (Project-Scoped) | Add | ||||
| Remove | |||||
| Administrator (Project-Scoped) | Add | ||||
| Remove | |||||
| Developer (Project-Scoped) | Add | ||||
| Remove | |||||
| Invite | Revoke | ||||
| Resend | |||||
| Accept2 | |||||
| Billing | |||||
| Invoices | List | ||||
| Billing Email | View | ||||
| Update | |||||
| Subscription | View | ||||
| Update | |||||
| Billing Address | View | ||||
| Update | |||||
| Tax Codes | View | ||||
| Update | |||||
| Payment Methods | View | ||||
| Update | |||||
| Usage | View | ||||
| Integrations (Org Settings) | |||||
| Authorize GitHub | - | ||||
| Add GitHub Repositories | - | ||||
| GitHub Connections | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| Vercel Connections | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| OAuth Apps | |||||
| OAuth Apps | Create | ||||
| Update | |||||
| Delete | |||||
| List | |||||
| Audit Logs | |||||
| View Audit logs | - | ||||
| Legal Documents | |||||
| SOC2 Type 2 Report | Download | ||||
| Security Questionnaire | Download |
Project permissions across roles
The table below shows the corresponding project permissions, by resource and action, for each available role you can assign an organization member in Studio.
| Resource | Action | Owner | Admin | Developer | Read-Only 3 |
|---|---|---|---|---|---|
| Project | |||||
| Project Management | Transfer | ||||
| Create | |||||
| Delete | |||||
| Update (Name) | |||||
| Pause | |||||
| Restore | |||||
| Restart | |||||
| Custom Domains | View | ||||
| Update | |||||
| Data (Database) | View | 4 | |||
| Manage | |||||
| Infrastructure | |||||
| Read Replicas | List | ||||
| Create | |||||
| Delete | |||||
| Addons | Update | ||||
| Integrations | |||||
| Authorize GitHub | - | ||||
| Add GitHub Repositories | - | ||||
| GitHub Connections | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| Vercel Connections | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| Database Configuration | |||||
| Reset Password | - | ||||
| Pooling Settings | View | ||||
| Update | |||||
| SSL Configuration | View | ||||
| Update | |||||
| Disk Size Configuration | View | ||||
| Update | |||||
| Network Restrictions | View | ||||
| Create | |||||
| Delete | |||||
| Network Bans | View | ||||
| Unban | |||||
| API Configuration | |||||
| API Keys | Read service key | ||||
| Read anon key | |||||
| JWT Secret | View | ||||
| Generate new | |||||
| API settings | View | ||||
| Update | |||||
| Auth Configuration | |||||
| Auth Settings | View | ||||
| Update | |||||
| SMTP Settings | View | ||||
| Update | |||||
| Advanced Settings | View | ||||
| Update | |||||
| Storage Configuration | |||||
| Upload Limit | View | ||||
| Update | |||||
| S3 Access Keys | View | ||||
| Create | |||||
| Delete | |||||
| Edge Functions Configuration | |||||
| Secrets | View | 5 | |||
| Create | |||||
| Delete | |||||
| SQL Editor | |||||
| Queries | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| List | |||||
| Run | 6 | ||||
| Database | |||||
| Scheduled Backups | View | ||||
| Download | |||||
| Restore | |||||
| Physical backups (PITR) | View | ||||
| Restore | |||||
| Authentication | |||||
| Users | Create | ||||
| Delete | |||||
| List | |||||
| Send OTP | |||||
| Send password recovery | |||||
| Send magic link | |||||
| Remove MFA factors | |||||
| Providers | View | ||||
| Update | |||||
| Rate Limits | View | ||||
| Update | |||||
| Email Templates | View | ||||
| Update | |||||
| URL Configuration | View | ||||
| Update | |||||
| Hooks | View | ||||
| Create | |||||
| Delete | |||||
| Storage | |||||
| Buckets | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| List | |||||
| Files | Create (Upload) | ||||
| Update | |||||
| Delete | |||||
| List | |||||
| Edge Functions | |||||
| Edge Functions | Update | ||||
| Delete | |||||
| View | |||||
| List | |||||
| Reports | |||||
| Custom Report | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| List | |||||
| Logs & Analytics | |||||
| Queries | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| List | |||||
| Run | |||||
| Events Collections | Create | ||||
| Update | |||||
| Delete | |||||
| View | |||||
| List | |||||
| Warehouse Access Tokens | Create | ||||
| Revoke | |||||
| List | |||||
| Branching | |||||
| Enable branching | - | ||||
| Disable branching | - | ||||
| Create | |||||
| Delete | |||||
| List |
Footnotes
-
Available on the Team and Enterprise Plans. ↩
-
Invites sent from a SSO account can only be accepted by another SSO account coming from the same identity provider. This is a security measure that prevents accidental invites to accounts not managed by your company's enterprise systems. ↩
-
Available on the Team and Enterprise Plans. ↩
-
Only available on projects using PostgreSQL 14 and above. You can upgrade your project through infrastructure settings. ↩
-
Read-Only role is able to access secrets. ↩
-
Only select queries. ↩