What roles does Cosmo RBAC provide?

Organization roles: Admin, Developer, API Key Manager, Viewer. Namespace roles: Admin, Viewer. Graph roles: Admin, Viewer. Subgraph roles: Admin, Publisher, Checker, Viewer. Roles are assigned through group rules.

Which plan is RBAC available on?

RBAC requires the Scale plan or higher. You can enable it in your organization settings once you are on a qualifying plan.

How do RBAC and groups relate?

Roles are not assigned directly to users. Instead, you assign roles to groups via group rules, then add users and API keys to groups. This ensures a consistent permission model across human and programmatic access.

Can I scope a role to a specific namespace or subgraph?

Yes. Group rules let you assign a role scoped to a specific resource — a namespace, graph, or subgraph. If no resource is specified, the role applies to all resources of that type in the organization.

What happens to role assignments when SSO is disconnected?

Disconnecting SSO downgrades all SSO-authenticated users to the viewer role. This is a deliberate security measure to prevent unauthorized access if synchronization with your identity provider is lost.

Can I assign multiple roles to one group?

Yes. A group can contain multiple rules, each defining a different role and resource scope. This lets you give a team admin access to their namespace and viewer access to everything else through a single group.

RBAC for Federated GraphQL | Role-Based Access Control | Cosmo by WunderGraph

The problem

Managing access without roles creates sprawl

As organizations grow, manual permission management breaks down. Teams end up with too much access, and removing it requires knowing what each person was granted individually.

Individual permission management breaks at scale

Assigning permissions user by user becomes unmanageable as teams grow. Inconsistent access accumulates. Administrators spend time on manual updates instead of building.

Broad access creates risk

Without subgraph-level roles, the only safe option is either full access or no access. Teams end up with permissions to resources they should never touch.

No structure means permission drift

When permissions are not defined by roles, they accumulate over time. Users keep access long after they stop needing it. Security reviews become guesswork.

Our solution

Roles at every level of your graph

Enable RBAC in your organization settings. From there, roles apply at four levels — organization, namespace, graph, and subgraph — so you can give each team precisely scoped access. Groups unify permission management for users and API keys.

How access is structured

Enable RBAC in your organization settings.
Cosmo provides four organization-level roles: Admin, Developer, API Key Manager, and Viewer.
Namespace roles (Admin and Viewer) let you scope access to specific deployment environments.
Graph roles (Admin and Viewer) apply at the federated graph level.
Subgraph roles (Admin, Publisher, Checker, Viewer) provide the most granular control.
Assign roles through groups, which apply the same permission model to users and API keys.

Define roles once. Every group member inherits them automatically.

RBAC

Before & After

Before Cosmo	With Cosmo
Manual permission assignment per user	Role-based permissions inherited through groups
No subgraph-level access control	Roles at organization, namespace, graph, and subgraph levels
Permission drift as teams change	Consistent access policies enforced by role hierarchy
Separate access model for users and API keys	Unified groups for both human and programmatic access

Role hierarchy

Four levels, four role sets

Organization: Admin, Developer, API Key Manager, Viewer
Namespace: Admin, Viewer
Graph: Admin, Viewer
Subgraph: Admin, Publisher, Checker, Viewer

How Cosmo RBAC works

01

Enabled in settings.

Enable

Turn on RBAC in your organization settings. Once enabled, you can create and configure groups to manage access for your team.

02

Four role levels.

Define roles

Choose from organization, namespace, graph, and subgraph roles. Assign multiple roles per group to create complex access patterns without over-provisioning.

03

Group-inherited access.

Assign groups

Add users and API keys to groups. Members inherit all permissions from the group's rules. Change the group rules and every member's access updates immediately.

04

SSO role sync.

Integrate with IdP

Connect SSO to synchronize role assignments with your identity provider. Users receive the correct roles based on mappings you define, without manual updates.

What's included

Role-based access for every part of your graph

Available on Scale and Enterprise plans.

Four-level role hierarchy

Roles at organization, namespace, graph, and subgraph levels. Each level has its own set of roles matched to the actions that make sense at that scope.

Unified groups

The same groups system manages access for organization members and API keys. One model, no divergence between human and automated access.

Built-in groups

Default admin, developer, and viewer groups are included out of the box. Create custom groups for teams that need specific combinations of roles and resource scopes.

SSO synchronization

Connect your OIDC identity provider and map IdP groups to Cosmo groups. Role assignments stay in sync with your authorization server automatically.

Set up role-based access control

Enable RBAC in your organization settings and define your first groups. Contact us to start on Scale or Enterprise.

Talk to Sales Read the Docs

Give every team exactly the access they need