Roles & RBAC
LightMesh uses role-based access control (RBAC) to govern who can view and change network data, manage users, and run administrative tasks. This guide explains how roles work and answers common permission questions.
Two layers of access control
LightMesh combines two permission models:
- Organization App Role — assigned when you invite a user. This role applies across the entire organization and controls access to the Admin menu, imports, and most day-to-day IPAM operations.
- Resource Role Assignments — optional, finer-grained roles assigned to specific subnets, zones, users, or user groups. These let you grant elevated or restricted access within a particular address space.
Your effective permissions on a resource are the union of your app role and any applicable resource role assignments (including inherited assignments from parent subnets or zones).
flowchart TB
subgraph org [Organization App Role]
AppRole["UserOrganizations.role\nOwner / Administrator / Contributor / Reader / Requestor"]
end
subgraph resource [Resource Role Assignments]
RA["RoleAssignment on Subnet or Zone\nsame built-in role names + inheritance"]
end
AppRole --> Effective["Effective permissions per resource\nunion of all applicable roles"]
RA --> Effective
Effective --> UI["UI gates menus and action buttons"]
Effective --> API["API enforces create / read / update / delete"]
Availability
| Feature | Plans |
|---|---|
| Organization App Roles (Owner, Administrator, Contributor, Reader, Requestor) | All plans |
| Resource Role Assignments on subnets and zones | Enterprise only |
See the subscription feature comparison for plan details.
Organization App Roles
When you invite a user, you assign an App Role. This is the primary control for what a user can do across LightMesh.
| App Role | View data | Create / edit / delete data | Import data | Admin menu (Users, API Keys, Alerts, Settings) | Invite users / manage org users |
|---|---|---|---|---|---|
| Owner | Yes | Yes | Yes | Yes | Yes |
| Administrator | Yes | Yes | Yes | Yes | Yes (cannot update Owner accounts) |
| Contributor | Yes | Yes | Yes | No | No |
| Reader | Yes | No | No | No | No |
| Requestor | Request portal only | No | No | No | No |
Role descriptions
- Owner — Full access to all data in LightMesh, including the ability to assign or revoke access for all users.
- Administrator — Full access to all data, including the ability to assign or revoke access, with the exception of other administrators or owners.
- Contributor — Full access to manage IPAM data (subnets, IP addresses, imports, cloud accounts), but cannot assign or revoke access, invite users, or open the Admin menu.
- Reader — Read-only access to LightMesh. Cannot create, edit, delete, or import data.
- Requestor — Access to a separate request portal only. Can submit network requests on subnets where they are assigned the Requestor role. Does not use the main LightMesh application.
Resource Role Assignments
On the Enterprise plan, you can assign roles to users or user groups on specific subnets or zones. This is useful when you want a Reader app-role user to edit a particular subnet, or when you want to scope a Requestor to specific address spaces.
| Resource Role | On a subnet or zone |
|---|---|
| Owner | Full create, read, update, delete, plus the ability to invite users and manage role assignments |
| Administrator | Same as Owner at the resource level |
| Contributor | Create, read, update, and delete subnet data; cannot add or remove role assignments |
| Reader | Read-only access to the resource |
| Requestor | Can submit network requests on the assigned subnet (see Requestor Workflow) |
Inheritance
Resource permissions flow downward:
- An assignment on a parent subnet applies to all child subnets within it.
- A zone-level assignment applies to every subnet in that zone.
For example, assigning a user group the Contributor role on 10.0.0.0/8 grants that group write access to 10.1.0.0/24 and any other child subnet inside that range.
Elevating a Reader
A user with the Reader app role who is assigned Contributor on a specific subnet gains write access on that subnet only. Their app role still prevents access to the Admin menu and imports, but they can edit IP assignments and subnet details within the assigned address space.
To assign resource roles, see User Permission in Subnets.
Common scenarios
What is the difference between Administrator and Contributor?
Administrators can do everything Contributors can, plus:
- Open the Admin menu (Users, API Keys, Alerts, Settings)
- Invite and manage organization users
- Create and revoke role assignments on subnets and zones
Contributors can manage IPAM data — create and edit subnets, assign IPs, run imports, and add cloud accounts — but cannot access Admin features or change who has access to what.
What role do I need to import data?
You need an app role of Owner, Administrator, or Contributor. Readers cannot import subnets, IP addresses, or other data.
See Importing Subnets and Import a spreadsheet for import procedures.
Can anyone integrate a cloud account?
Owners, Administrators, and Contributors can add and remove AWS and Azure cloud accounts from the Cloud Accounts page. Readers cannot add or delete cloud integrations.
Cloud-synced subnets (AWS and Azure) are read-only in the LightMesh UI regardless of role. You manage those address spaces in your cloud provider; LightMesh syncs them automatically.
See Cloud Integration for setup instructions.
Can a Contributor create a top-level subnet?
Yes. Contributors can:
- Create top-level subnets from the Subnets page (the Add button)
- Create child subnets inside a parent subnet they have access to
- Edit subnet details and assign IP addresses within subnets they can write to
Contributors cannot:
- Add or remove role assignments (only Owners and Administrators can)
- Access the Admin menu or invite users
- Edit cloud-synced AWS/Azure subnets (those are managed by cloud sync)
API key roles
API keys use the same role names as organization app roles, plus a dedicated DHCP role. When you create an API key, select the access level that matches what the integration needs.
| API Key Role | Access |
|---|---|
| Owner | Full API access (default if no role is specified) |
| Administrator | Full API access |
| Contributor | Create, read, update, and delete data; cannot manage users or role assignments |
| Reader | Read-only API access |
| DHCP Server | DHCP sync only — scopes, leases, and lease history. Cannot access general IPAM data. |
Use the narrowest role that satisfies your integration. For example, the Windows Discovery Agent needs a DHCP Server key, not an Owner key.
Related guides
- Creating New User — assign an App Role when inviting users
- User Permission in Subnets — assign resource roles on subnets
- Requestor Workflow — request portal for Requestor role users
- New API Key — create API keys with scoped roles
- Purchasing a LightMesh Subscription — Enterprise plan includes resource role assignments