Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Every member of a Quint organization is assigned exactly one role. Roles are hierarchical — higher roles inherit all permissions of lower roles.

Role Hierarchy

Owner (3)
  └── Admin (2)
        └── Analyst (1)
              └── Viewer (0)
Each role has a numeric level. Permission checks compare the required level against the user’s role level.

Permission Matrix

ActionOwnerAdminAnalystViewer
View dashboards, sessions, eventsYesYesYesYes
View fleet status and agent detailsYesYesYesYes
View analytics and reportsYesYesYesYes
Acknowledge alertsYesYesYes
Investigate sessionsYesYesYes
Triage and dismiss alertsYesYesYes
Manage policiesYesYes
Manage device groupsYesYes
Manage enforcement profilesYesYes
Invite and remove team membersYesYes
Create and revoke tokensYesYes
Manage fleet settingsYesYes
Configure SSOYes
Manage billingYes
Delete organizationYes
Transfer ownershipYes

Enforcement

Role checks happen at two layers:

API Middleware

Every authenticated request passes through role-checking middleware. The middleware extracts the user’s org membership and compares the role level against the endpoint’s required level. 
// Simplified enforcement logic
function requireRole(minRole: RoleLevel) {
  return (req, res, next) => {
    const membership = req.orgMembership;
    if (membership.role_level < minRole) {
      return res.status(403).json({ error: "insufficient_permissions" });
    }
    next();
  };
}

Dashboard UI

The dashboard hides UI elements the user can’t act on. This is cosmetic — the API enforces the real boundary. A viewer won’t see the “Create Policy” button, but even if they craft the request manually, the API rejects it.

Role Assignment Rules

You cannot assign a role higher than your own. An admin can invite analysts and viewers, but cannot create other admins. Only owners can promote members to admin.
The assignment matrix:
AssignerCan assign
OwnerOwner, Admin, Analyst, Viewer
AdminAdmin, Analyst, Viewer
Analyst— (cannot invite)
Viewer— (cannot invite)

Owner Protection

The last owner of an organization cannot be removed or downgraded. This prevents an org from becoming unmanageable.
  • If there’s only one owner, they can’t change their own role
  • If there’s only one owner, no one can remove them
  • Ownership transfer requires explicitly assigning owner role to another member first
To transfer ownership: promote another member to owner, then (optionally) downgrade yourself. The org must always have at least one owner.

Role Changes

When a member’s role changes:
  1. The update takes effect immediately on the next API request
  2. Active dashboard sessions reflect the new permissions on the next navigation or data fetch
  3. Existing tokens created by the member retain their scopes (token permissions are independent of role)
Revoking a member’s access? Remove their membership entirely rather than downgrading to viewer. This also invalidates any personal tokens they created.