Skip to main content

Role Based Access Control


You may restrict what actions each member of your account may take with Role Based Access Control (RBAC). RBAC may applied to both Users and it may also be applied to an Invitation when inviting a collaborator to join your ngrok account.

You may configure RBAC from the team members page of the dashboard.


All Users on your account have a Developer, Team and Billing role. Users may optionally be assigned as an administrator which gives them full account control.


The Developer role controls whether a user may create, modify or delete objects like Domains, TCP Addresses, Edges, Event Destinations, Authtokens, API Keys, etc. There are two possible values:

Read/Write: A user can create, modify and delete any developer feature on the account. This does not include team management, billing, or account settings.

Read-only: A user can view but NOT create, modify or delete developer features on the account. It is important to note that users with a read-only developer role can still see their personal authtoken and use the ngrok agent to create endpoints for applications.


The Team role controls whether a user may invite, remove and manage other team members. There are three possible values:

Manager: A user that can invite and remove other users from the account. They can also modify other users' RBAC settings. They cannot modify or remove Administrators.

Invite-only: A user can see other members of the account and invite new teammates to join the account. They cannot remove other account members or modify the privilege levels of other users.

Read-only: A user can see other members of the account but cannot manage or invite other users.


The Billing role controls whether a user may update the account's billing details and subscription plan. There are two possible values:

Billing access: A user may change the subscription plan, payment method, billing address and other details. Users with this permission may also view billing history.

No billing access: A user may not view or modify any billing details.


Users with the Administrator role may take take all actions within an account. It is the only role that grants access to configure Account settings like SSO and SCIM. Administrators may remove other administrators from the account.

Accounts must always have at least one administrator.

Bot Users

RBAC cannot be applied to Bot Users, who instead function as though they have a read/write Developer role and no other permissions.

Additional restrictions with ACLs

In addition to RBAC controls, you may further scope the capabilities of what an Authtoken or SSH Public Key credential may do within your account by using ACLs. For instance you may restrict what endpoints a credential may listen on with ACLs.


RBAC is available on the Enterprise plan.