Security & RBAC

Snapline Hub supports optional role-based access control (RBAC). When disabled, behavior matches earlier releases (open read, optional HUB_API_KEY on writes).

Roles

RolePermissions
adminFull access + Settings page + RBAC management
project_adminRead/write/delete reports for assigned project(s)
viewerRead reports for assigned project(s)
automationRead + ingest reports (CI/scripts)

Environment variables

HUB_RBAC_ENABLED=true
HUB_ADMINS=admin@company.com,ops@company.com
HUB_ADMIN_API_KEYS=super-secret-admin-key
HUB_PUBLIC_READ=false
HUB_RBAC_API_KEYS={"keys":{"ci-bot":{"role":"automation","projects":["*"],"label":"CI pipeline"}}}

Request headers

Project-scoped assignments

Admins manage database assignments on the Settings page or via GET/POST/DELETE /api/admin/rbac. Omit project or use * for all projects.

Automation RBAC

CI pipelines should use automation role keys via HUB_RBAC_API_KEYS or DB assignments with principal automation:my-script and header X-Hub-Automation: my-script.