Skip to main content
cubic uses a role-based access control system to manage who can make changes to your team’s subscription and settings. Every team member has one of three roles:
RoleBest forWhat they can do
AdminWorkspace owners, engineering managers, and operations ownersManage seats, roles, billing, subscription settings, integrations, repository settings, and AI review settings.
MemberEngineers and teammates who need to configure cubic day to dayUse cubic’s full product surface and edit non-billing settings, including AI review behavior, repository settings, integrations, and scan settings.
ViewerStakeholders who need visibility without configuration accessView team information, settings, review surfaces, analytics, and subscription status without changing configuration.

Permissions matrix

PermissionAdminMemberViewer
Use PR review, analytics, and other non-settings surfaces✅ Yes✅ Yes✅ Yes
View team members, role assignments, subscription status, and settings✅ Yes✅ Yes✅ Yes
Configure AI review behavior and repository settings✅ Yes✅ Yes❌ No
Manage integrations and linked repositories✅ Yes✅ Yes❌ No
Configure codebase scan settings and scan automation✅ Yes✅ Yes❌ No
Manage seat assignments✅ Yes❌ No❌ No
Change user roles✅ Yes❌ No❌ No
Configure auto-assign and usage seat automation✅ Yes❌ No❌ No
Manage billing, plans, and subscription controls✅ Yes❌ No❌ No
Promote bot accounts to admin❌ No❌ No❌ No

Seats and roles

Seats and roles are related, but they control different things.
  • Seats control which GitHub users are assigned cubic access and how usage is counted for billing.
  • Roles control what a seated user can change inside cubic.
Members and viewers can both use cubic surfaces available to their seat. The difference is configuration access: members can change non-billing workspace and repository settings, while viewers can only read them. Repository and PR visibility can still depend on GitHub repository access. If someone cannot see a specific repository or PR, confirm that they have access to the repository in GitHub and that cubic has access to that repository.

How to become an admin

There are three ways to become a cubic admin:
  1. Install the cubic GitHub app. When you install cubic for your GitHub organization, you automatically become an admin.
  2. Be a GitHub organization admin. GitHub organization admins automatically become cubic admins when the app is installed.
  3. Get promoted by an existing admin. Any current admin can promote you through subscription settings.
At least one admin is required for every team. Admins cannot remove their own admin role, and cubic prevents changes that would leave the team without an active human admin. Bot accounts cannot be admins. The default role for new seats is Member unless the user qualifies for admin during setup.

Admin role

Admins have full control over team management and can:
  • Manage seat assignments: Add or remove cubic seats for team members
  • Manage roles: Change members between admin, member, and viewer roles (note: bot accounts cannot be admins)
  • Configure workspace settings: Change AI review settings, repository settings, integrations, scan settings, and billing automation
  • Configure auto-assign: Enable automatic seat assignment and removal when GitHub organization members join or leave
  • Manage billing: Update plans, seats, and subscription controls
  • Bulk actions: Select multiple users to manage seats and roles in bulk

Member role

Members can use cubic’s full feature set and edit non-billing settings:
  • Full platform access: Use all cubic features including AI reviews, analytics, and PR management
  • Manage workspace settings: Configure AI review behavior, repository settings, integrations, scan settings, and other non-billing team settings
  • View billing status: See subscription status and billing-related information without changing billing details
  • No seat, role, or billing management: Cannot assign/remove seats, change user roles, or manage billing and subscription controls

Viewer role

Viewers can use cubic’s review and analytics surfaces, but they cannot change cubic settings:
  • View team information: See team members, role assignments, subscription status, and settings
  • Use review surfaces: Access PR review, analytics, and other non-settings views available to their seat
  • No configuration changes: Cannot change AI review settings, repository settings, integrations, seats, roles, or billing controls

How to manage user roles

Only admins can change user roles. cubic provides both individual and bulk role management:

Individual role changes

To promote or demote a single user:
  1. Navigate to Settings → Subscription
  2. Find the team member in the list
  3. Click the three-dot menu (⋮)
  4. Select the new role: Admin, Member, or Viewer
  5. The change takes effect immediately
Only admins can see and use seat and role management options. Members and viewers can view the team list, but they cannot change seats or roles.

Bulk role changes

To change roles for multiple users at once:
  1. Navigate to Settings → Subscription
  2. Use the checkboxes to select multiple team members
  3. Click “Update role” in the bulk action bar
  4. Choose the role to apply to the selected users
  5. All selected users are updated immediately

Troubleshooting

I need someone to edit settings, but not billing

Give them the Member role. Members can edit non-billing settings, but they cannot manage seats, roles, or billing.

A user can view settings but cannot save changes

Check their role. Viewers can read settings but cannot change AI review settings, repository settings, integrations, seats, roles, or billing controls.

I cannot demote myself from admin

cubic prevents admins from removing their own admin role. Ask another admin to change your role after confirming that the team will still have at least one admin.

I cannot remove or demote the last admin

Every team needs at least one active human admin. Add or promote another admin first, then change the original admin’s role or seat.

I cannot make a bot an admin

Bot accounts cannot be admins. Assign bot seats a non-admin role instead.