Permissions and scope
A troop member's access is not a fixed role. It is four permissions you switch on or off per member, plus a scope that says which site keys they reach. You compose them freely, so each person gets exactly what their job needs. This applies to both people and troop access tokens, which carry the same permissions and scope.
The four permissions
Each is an independent yes or no. A member can hold any combination, and at least one must be granted.
| Permission | What it grants |
|---|---|
| Read | View the troop's site keys and their configuration, statistics, and audit logs. Read-only. |
| Create | Create new site keys in the troop. |
| Edit | Configure the site keys in scope: their settings, secret rotation, hosted verification, and per-key game and white-label customization. |
| Manage | Troop administration: add, remove, and change members and tokens; rename or delete the troop; and author the troop-wide overrides (customization baseline, white-label, and the game gate). |
They are deliberately separate. A read-only auditor gets read alone; a developer who configures one product gets edit; an operations lead who runs the team gets manage.
Scope: which site keys a member reaches
Alongside the permissions, each member has a scope:
- All site keys: the member reaches every key in the troop, including ones added later.
- Specific site keys: the member is limited to the keys you list. A key added later stays out of reach until you add it to their scope.
Scope bounds the site-key-level permissions (read, create, edit): a partial-scope member only sees and edits the keys in their list. It does not bound manage, which is troop-wide by nature: a member with manage administers the whole troop regardless of scope. So scope is how you say "this developer works on this one key"; manage is how you say "this person runs the troop".
The owner
The troop's owner is the account that created it. The owner always has every permission, and ownership is not transferable. Everyone else holds exactly the permissions and scope you grant them. A member with manage can do everything the owner can within the troop, except transfer ownership.
Where you set this
On the troop's Members page, set permissions and scope when you invite someone and change them any time afterward. On Apex, membership changes are recorded in the troop audit log.
See also
- Create your first shared troop: a walkthrough that grants these to three different teammates.
- Seats: how each member or token consumes a seat.
- Tokens: granting the same permissions to automation instead of a person.