Launch Apollo Studio

Managing organization members


A Studio organization can have any number of members, and each member can be assigned a role that defines their capabilities within the organization.

Organization-wide member roles

Each organization member has one of the following roles:

If you're using member roles, please let us know what you think! Your feedback will help us improve the feature before we roll it out to all organizations.

NameDescriptionSupported plan types
Org AdminHas management access to the entire organization, including its members, graphs, and configuration.All
Graph AdminHas management access to the organization's graphs, but not to members or organization-level configuration. Intended for developers who are considered admins to the graph.Enterprise only
ContributorCan push new schemas to graphs, but cannot configure graph settings or integrations. Intended for back-end developers who are authorized to make changes to graphs. Cannot push schema changes to protected variants.Enterprise only
ObserverHas view-only access to the organization's graph data, such as schemas and metrics. Can also execute queries in the Explorer. Intended for back-end developers who are not authorized to make changes to graphs.Enterprise only
Consumer (free)

Has view-only access to the organization's graph schemas, but not metrics. Can also execute queries in the Explorer. Intended for application developers building clients against a graph.

This role is available to all plan types, including Free. Consumer members do not count as billed users.

All
Billing Manager (free)

Has management access to organization-level configuration and billing. Can also remove members (but not invite them). No access to graphs. Learn more

This role is available to all paid plan types. Billing Manager members do not count as billed users.

Enterprise & Team

Only members with the Org Admin role can assign roles to other members. You can see which role you have in a particular organization from your user settings page, or from the organization's Members tab.

Graph-specific member roles

You can override a member's organization-wide role for individual graphs. For example, if a member has the Observer role in your organization, you can assign them the Contributor role for a graph that they need extra access to.

A member's graph-specific role must have more permissions than their organization-wide role.

Members with the Graph Admin or Org Admin role can assign graph-specific roles from the Access tab of the graph's Settings page.

If a graph is made hidden, then only users with explicit overrides (as well as Org Admins) can see the graph.

Graph Admins and Org Admins have exactly the same permissions on graphs, so you can only grant a Graph Admin override, not an (equivalent) Org Admin override.

When Contributors in an organization create a new graph, they are automatically granted the Graph Admin role for that graph.

Role permissions

ActionOrg AdminGraph AdminContributorObserverConsumer
Invite members
Remove members
View and edit billing information
Manage organization configuration (name, avatar, etc.)
Delete the organization
Manage which users have access to graphs
Manage graph integrations (Datadog, Slack, etc.)
View and manage graph API keys
Modify schema checks configuration
Delete and rename graphs
Create new variantsNon-protected variants only
Push schemas to a graphNon-protected variants only
Manage Explorer settings (URL, etc)Non-protected variants only
Create Deployed Graphs
Run schema checks
See the schemas of subgraphs in federated graphs
View graph usage metrics and traces
Create Development Graphs
View graph schemas and changelogs
Query graphs with the Explorer

Currently, graph usage metrics and traces are not displayed to Consumers via the Studio web app but they are not blocked at the API layer. We intend to remove this capability from Consumers, but for the time being you should understand that Consumers are not fully prevented from accessing these metrics and traces.

In January 2021, we made the following changes to our role structure:

  • We removed the ability of Observers to view integration settings, because some of these settings contain sensitive information.
  • We significantly reduced the permissions of the Contributor role, making it much closer to Observer plus the ability to perform a small set of write operations on non-protected variants.
  • We added the Graph Admin role. This role is nearly identical to the former Contributor role. As part of the transition, we changed all existing Contributors to Graph Admins. The only difference between the old Contributor role and the new Graph Admin role is that Graph Admins can delete graphs (and manage graph overrides, a new feature released simultaneously).

Billing managers

Members with the Billing Manager role can't see or manage graphs in their organizations, but they can:

  • Remove members from the organization
  • View and edit billing information (including changing the billing plan)
  • Manage organization configuration (name, avatar, etc.)

Notably, Billing Managers can't invite new members to the organization or update roles.

Dev graphs

Development Graphs are a special case in our permissions system. Any user in an organization (even a Consumer) can create a dev graph and act as its Graph Admin. Each dev graph is private to the user who creates it. Even Org Admins can't view them, and they can't currently be shared with other users.

Graph API key roles

Each graph API key also has a corresponding member role. This role can be Graph Admin (the default), Contributor, Observer, or Consumer. A graph API key provides access only to its associated graph. It does not provide access to actions associated with organizations or users.

Otherwise, a graph API key is equivalent in privileges to a user with the same role for the graph. For example, you can use a Consumer key to fetch a graph's schema, and you can use a Graph Admin key to manage integrations.

A few operations aren't listed in the table above because they are only supported by graph API keys, not personal API keys for users in the graph's organization. These are primarily operations that are performed by your GraphQL server. They are:

  • Reporting usage (traces and performance metrics). This requires a Graph Admin key, or a Contributor key if the variant is not protected.
  • Registering operations. This requires a Graph Admin key.

Before January 2021, graph keys did not have roles. Keys created before that date (shown as Legacy Admin keys) can perform the following operations:

  • Create new variants
  • Run schema checks
  • View and manage graph API keys
  • Push schemas to a graph
  • See the schemas of subgraphs in federated graphs
  • View graph schemas and changelogs
  • Modify schema checks configuration

Inviting members

Org Admins can invite individual members by email address from your organization's Members tab in Apollo Studio. Organization admins can also create a persistent invite link from the organization's Settings tab, which can be used to invite any number of members. Using either method, an org admin can specify which role a new member receives.

Do not share invite links publicly. Anyone with the link can join your organization. If an invite link becomes compromised, an admin can replace or disable it from the Settings tab.

Removing members

Both Org Admins and Billing Managers can remove members from your organization's Members tab in Apollo Studio.

Edit on GitHub