Security & RBAC
Snapline Hub supports optional role-based access control (RBAC). When disabled, behavior matches earlier releases (open read, optional HUB_API_KEY on writes).
Roles
| Role | Permissions |
|---|---|
admin | Full access + Settings page + RBAC management |
project_admin | Read/write/delete reports for assigned project(s) |
viewer | Read reports for assigned project(s) |
automation | Read + ingest reports (CI/scripts) |
Environment variables
HUB_RBAC_ENABLED=true
HUB_ADMINS=admin@company.com,ops@company.com
HUB_ADMIN_API_KEYS=super-secret-admin-key
HUB_PUBLIC_READ=false
HUB_RBAC_API_KEYS={"keys":{"ci-bot":{"role":"automation","projects":["*"],"label":"CI pipeline"}}}
Request headers
X-Hub-Api-Key— API key (admin, automation, or legacy ingest)X-Hub-User— user id/email for UI embedding (e.g.alice@company.com)X-Hub-Automation— automation script id (paired with DB assignments)
Project-scoped assignments
Admins manage database assignments on the Settings page or via GET/POST/DELETE /api/admin/rbac. Omit project or use * for all projects.
Automation RBAC
CI pipelines should use automation role keys via HUB_RBAC_API_KEYS or DB assignments with principal automation:my-script and header X-Hub-Automation: my-script.