Team, Roles, and Permissions

Last updated: Edit on GitHub

Overview

Aikraft is designed for cross-functional teams: compliance officers own classification decisions, technical leads connect data sources, and executives need read-only assurance. This page describes how members, roles, and permissions map to those responsibilities.

Organisation and workspace

When you sign up, Aikraft creates an organisation — the billing and data boundary for your company. Each organisation has one or more workspaces (on Enterprise) or a single default workspace (Starter and Pro).

All AI systems, documentation, and monitoring configuration belong to a workspace. Users are invited at organisation level and granted access to specific workspaces.

Built-in roles

RoleTypical userCore permissions
OwnerFirst registrant or transferred adminFull access: billing, members, API keys, delete workspace
Compliance OfficerLegal, GRC, DPO officeClassify systems, approve documentation, manage FRIA records, export audit packs
Technical LeadML engineer, platform teamIntegrations, monitoring connectors, webhook configuration, read/write on technical fields
AnalystRisk or opsView all systems, comment, run classification drafts — cannot publish final tier or exports
Auditor (read-only)External auditorView assigned systems and documentation; cannot change settings

Owners may optionally restrict API key creation to Technical Leads only (recommended).

Inviting members

  1. Open Settings → Team in the app sidebar.
  2. Click Invite member and enter a work email address.
  3. Select a role and, on multi-workspace plans, tick the workspaces they should access.
  4. The invitee receives a link valid for 7 days. SSO tenants can enforce domain allowlists in Settings → Security.

Invitations consume a seat on your plan. Removing a user frees the seat within the current billing period.

Classification and publishing rules

By default, only Compliance Officers and Owners may:

  • Mark a classification as final (locking the risk tier for audit)
  • Publish generated Annex IV documentation to the official version history
  • Sign off Fundamental Rights Impact Assessment records (where enabled)

Technical Leads may run the classification questionnaire and generate documentation drafts, but the final publish step requires a Compliance Officer unless the Owner disables separation of duties in Settings → Governance (not recommended for regulated environments).

API keys and service accounts

API keys are created under Settings → Developers. Keys are shown once at creation; store them in your secrets manager.

  • Read scope: list systems, fetch classification results, download published documentation.
  • Write scope: create or update system metadata, push monitoring events from CI.
  • Admin scope: manage webhooks — Owner or Technical Lead only.

Rotate keys if a member with access leaves the organisation.

Auditor access

To grant an external party read-only access without a full seat:

  1. Go to Settings → Auditors.
  2. Create an auditor link scoped to one or more systems.
  3. Set an expiry date and optional IP allowlist.

Auditors authenticate via magic link and cannot browse unrelated systems. See Exports and auditor access for packaging PDFs alongside read-only access.