Members & Roles
How to manage team members and role-based access control in Technical Debt Radar — owner, admin, and member roles with invitation workflows.
Members & Roles
Technical Debt Radar uses a three-role system to control access within organizations. Members are invited by email and accept via a token-based link. Roles determine what each person can view, configure, and manage.
Plan requirement: Role-based access control requires the Pro plan or higher. Free and Solo plans support a single member (the owner).
The Three Roles
| Capability | Owner | Admin | Member |
|---|---|---|---|
| View dashboard and scan results | Yes | Yes | Yes |
Run scans (radar scan) | Yes | Yes | Yes |
Run AI features (radar fix, radar summary) | Yes | Yes | Yes |
| View debt score trends and charts | Yes | Yes | Yes |
| Manage repository connections | Yes | Yes | --- |
Edit radar.yml via policy editor | Yes | Yes | --- |
| Invite new members | Yes | Yes | --- |
| Remove members | Yes | Yes | --- |
| Change member roles | Yes | Yes | --- |
| Manage billing and payment methods | Yes | --- | --- |
| Change organization settings | Yes | --- | --- |
| Transfer ownership | Yes | --- | --- |
| Delete organization | Yes | --- | --- |
Owner
Every organization has exactly one owner. The owner has full control over the organization, including billing, settings, and the ability to delete the org. Ownership can be transferred to another member.
Admin
Admins can manage the day-to-day operations of the organization --- adding repos, configuring policies, and managing the team. They cannot access billing or delete the organization.
Member
Members can view everything and run scans, but cannot change any settings or manage other users. This is the default role for new invitations.
Inviting Members
Via Dashboard
- Go to the organization's Members page
- Click Invite Member
- Enter the email address
- Select a role (admin or member)
- Click Send Invitation
The invited person receives an email with a link to accept the invitation.
Via CLI
radar org invite --email engineer@acme.com --role member
Invitation Details
| Property | Value |
|---|---|
| Delivery | Email with a unique invitation link |
| Expiry | 7 days from the time of invitation |
| Token | Cryptographically random, single-use |
| Existing users | Clicking the link adds them to the org immediately |
| New users | Clicking the link creates an account, then adds them to the org |
Accepting an Invitation
When a user clicks the invitation link:
- If they are already logged in to Radar, they are added to the organization immediately
- If they have a Radar account but are not logged in, they are prompted to log in first
- If they do not have a Radar account, they are prompted to sign up, then added to the org
After accepting, the new member appears on the organization's Members page with their assigned role.
Managing Members
Changing a Role
- Go to Members
- Find the member in the list
- Click the role dropdown next to their name
- Select the new role
- The change takes effect immediately
Only owners and admins can change roles. You cannot change your own role.
Removing a Member
- Go to Members
- Click the remove icon next to the member's name
- Confirm removal
Removed members lose access to the organization immediately. Their personal Radar account is not affected --- they can still access other organizations they belong to.
Revoking a Pending Invitation
- Go to Members then Pending Invitations
- Click Revoke next to the invitation
- The invitation link becomes invalid
Member Limits by Plan
| Plan | Max Members |
|---|---|
| Free | 1 (owner only) |
| Solo | 1 (owner only) |
| Pro | Unlimited |
| Team | Unlimited |
| Enterprise | Unlimited |
API Endpoints
# List members
GET /api/v1/orgs/:slug/members
# Invite a member
POST /api/v1/orgs/:slug/invitations
{
"email": "engineer@acme.com",
"role": "member"
}
# Change a member's role
PATCH /api/v1/orgs/:slug/members/:userId
{
"role": "admin"
}
# Remove a member
DELETE /api/v1/orgs/:slug/members/:userId
Implementation Details
Access control is enforced at the API level using NestJS guards:
OrgRolesGuard--- Validates that the authenticated user has the required role in the target organization@Roles()decorator --- Annotates controller methods with the minimum required role
@UseGuards(OrgRolesGuard)
@Roles('admin')
@Post('invitations')
async inviteMember(@Body() dto: InviteMemberDto) {
// Only owners and admins reach this handler
}
All role checks happen server-side. Frontend role checks exist for UI rendering (hiding buttons, disabling forms) but are never the sole enforcement mechanism.