Skip to main content
Access in Mesh Pilot is scoped two ways: a workspace role (your standing in the whole workspace) and a per-brand role (what you can do on each individual brand). They combine so you can, for example, let a contractor operate one brand and only read another.

Per-brand roles

Every member has a role on each brand they’re added to:

Viewer

Read-only. Can see surfaces, metrics, and history for the brand, but cannot approve, edit, mint write-keys, or change anything.

Operator

Read + write. Can approve/reject/edit proposals, run actions, and manage the brand’s work.
A viewer attempting a write — in the cockpit or over MCP — is refused. The same rule applies everywhere, so there’s no surface where a viewer can quietly change state.

Workspace roles

Owner

Full control of the workspace: billing, members, plan, and org-wide visibility (including the org-wide MCP audit).

Admin

Manage members and settings, and see org-wide MCP audit, without billing ownership.

Operator

Works within the brands they’re assigned; sees their own MCP activity.

Viewer

Read-only across their assigned brands.

How roles flow into MCP keys

A key you mint can never exceed your own live access. A viewer’s key can’t write; a key can’t reach a brand you can’t. Access is re-checked on every request, so revoking someone’s brand access instantly narrows every key they minted. See Scopes & roles.

Managing roles

Owners and admins manage members and per-brand roles under Settings → Team. Add a member, assign their role on each brand, and they see exactly that — no more.

Manage your team

Settings → Team.