Roles & RBAC

LightMesh uses role-based access control (RBAC) to govern who can view and change network data, manage users, and run administrative tasks. This guide explains how roles work and answers common permission questions.

Two layers of access control

LightMesh combines two permission models:

  1. Organization App Role — assigned when you invite a user. This role applies across the entire organization and controls access to the Admin menu, imports, and most day-to-day IPAM operations.
  2. Resource Role Assignments — optional, finer-grained roles assigned to specific subnets, zones, users, or user groups. These let you grant elevated or restricted access within a particular address space.

Your effective permissions on a resource are the union of your app role and any applicable resource role assignments (including inherited assignments from parent subnets or zones).

flowchart TB
  subgraph org [Organization App Role]
    AppRole["UserOrganizations.role\nOwner / Administrator / Contributor / Reader / Requestor"]
  end
  subgraph resource [Resource Role Assignments]
    RA["RoleAssignment on Subnet or Zone\nsame built-in role names + inheritance"]
  end
  AppRole --> Effective["Effective permissions per resource\nunion of all applicable roles"]
  RA --> Effective
  Effective --> UI["UI gates menus and action buttons"]
  Effective --> API["API enforces create / read / update / delete"]

Availability

Feature Plans
Organization App Roles (Owner, Administrator, Contributor, Reader, Requestor) All plans
Resource Role Assignments on subnets and zones Enterprise only

See the subscription feature comparison for plan details.

Organization App Roles

When you invite a user, you assign an App Role. This is the primary control for what a user can do across LightMesh.

App Role View data Create / edit / delete data Import data Admin menu (Users, API Keys, Alerts, Settings) Invite users / manage org users
Owner Yes Yes Yes Yes Yes
Administrator Yes Yes Yes Yes Yes (cannot update Owner accounts)
Contributor Yes Yes Yes No No
Reader Yes No No No No
Requestor Request portal only No No No No

Role descriptions

  • Owner — Full access to all data in LightMesh, including the ability to assign or revoke access for all users.
  • Administrator — Full access to all data, including the ability to assign or revoke access, with the exception of other administrators or owners.
  • Contributor — Full access to manage IPAM data (subnets, IP addresses, imports, cloud accounts), but cannot assign or revoke access, invite users, or open the Admin menu.
  • Reader — Read-only access to LightMesh. Cannot create, edit, delete, or import data.
  • Requestor — Access to a separate request portal only. Can submit network requests on subnets where they are assigned the Requestor role. Does not use the main LightMesh application.

Resource Role Assignments

On the Enterprise plan, you can assign roles to users or user groups on specific subnets or zones. This is useful when you want a Reader app-role user to edit a particular subnet, or when you want to scope a Requestor to specific address spaces.

Resource Role On a subnet or zone
Owner Full create, read, update, delete, plus the ability to invite users and manage role assignments
Administrator Same as Owner at the resource level
Contributor Create, read, update, and delete subnet data; cannot add or remove role assignments
Reader Read-only access to the resource
Requestor Can submit network requests on the assigned subnet (see Requestor Workflow)

Inheritance

Resource permissions flow downward:

  • An assignment on a parent subnet applies to all child subnets within it.
  • A zone-level assignment applies to every subnet in that zone.

For example, assigning a user group the Contributor role on 10.0.0.0/8 grants that group write access to 10.1.0.0/24 and any other child subnet inside that range.

Elevating a Reader

A user with the Reader app role who is assigned Contributor on a specific subnet gains write access on that subnet only. Their app role still prevents access to the Admin menu and imports, but they can edit IP assignments and subnet details within the assigned address space.

To assign resource roles, see User Permission in Subnets.

Common scenarios

What is the difference between Administrator and Contributor?

Administrators can do everything Contributors can, plus:

  • Open the Admin menu (Users, API Keys, Alerts, Settings)
  • Invite and manage organization users
  • Create and revoke role assignments on subnets and zones

Contributors can manage IPAM data — create and edit subnets, assign IPs, run imports, and add cloud accounts — but cannot access Admin features or change who has access to what.

What role do I need to import data?

You need an app role of Owner, Administrator, or Contributor. Readers cannot import subnets, IP addresses, or other data.

See Importing Subnets and Import a spreadsheet for import procedures.

Can anyone integrate a cloud account?

Owners, Administrators, and Contributors can add and remove AWS and Azure cloud accounts from the Cloud Accounts page. Readers cannot add or delete cloud integrations.

Cloud-synced subnets (AWS and Azure) are read-only in the LightMesh UI regardless of role. You manage those address spaces in your cloud provider; LightMesh syncs them automatically.

See Cloud Integration for setup instructions.

Can a Contributor create a top-level subnet?

Yes. Contributors can:

  • Create top-level subnets from the Subnets page (the Add button)
  • Create child subnets inside a parent subnet they have access to
  • Edit subnet details and assign IP addresses within subnets they can write to

Contributors cannot:

  • Add or remove role assignments (only Owners and Administrators can)
  • Access the Admin menu or invite users
  • Edit cloud-synced AWS/Azure subnets (those are managed by cloud sync)

API key roles

API keys use the same role names as organization app roles, plus a dedicated DHCP role. When you create an API key, select the access level that matches what the integration needs.

API Key Role Access
Owner Full API access (default if no role is specified)
Administrator Full API access
Contributor Create, read, update, and delete data; cannot manage users or role assignments
Reader Read-only API access
DHCP Server DHCP sync only — scopes, leases, and lease history. Cannot access general IPAM data.

Use the narrowest role that satisfies your integration. For example, the Windows Discovery Agent needs a DHCP Server key, not an Owner key.