How roles are organised

Nuvolos uses a role-based system that aligns with the platform's organisational hierarchy. Each level - organisation, space, instance - has its own roles, designed to match the responsibilities that level represents. Roles are granted via invitations: a user with granting capability sends an invitation, the recipient confirms by clicking the link, and the role is granted.

There are also resource pool roles, which sit alongside the hierarchy roles and govern budgeting rather than content access.

Resource pool roles

Resource pools serve as cost centres and accounting units on Nuvolos.

There are two roles:

• Manager - can assign resource pools to projects, invite other managers, transfer Credits, and review the full utilisation of all mapped content.

• Member - has no active capability. Members are users who at the current time are using resources mapped to the resource pool.

Organisation level roles

Organisations serve as high level structural units in Nuvolos. Each organisation comes with a default resource pool. Users in an organisation can have one of four roles:

• No role - users without a role in an organisation cannot view any content within it. Organisation managers can revoke roles when needed.

• Member - users invited to participate in any space within the organisation. Members can view Public Spaces, access content they are specifically invited to, and automatically receive Instance Observer status in dataset Spaces with Public visibility. The member role indicates that the user has an established connection with the organisation.

• Faculty - users who manage and control resources within the organisation.

  • Create new spaces and invite users to those spaces (creators automatically become space administrators)

  • Automatically receive Instance Viewer status in Dataset spaces with Public and Faculty-only visibility

  • Automatically become space administrators in Research and Course spaces with Faculty-only visibility

  • Distribute licensed content to other users - a powerful capability that supports collaboration

• Manager - organisation managers oversee resources and control membership across the organisation.

  • Create new spaces and invite users (creators automatically become space administrators)

  • They receive a resource pool manager role to the default resource pool of the organisation.

  • As a resource pool manager, monitor resource usage across the entire organisation (though they can only view and modify content in spaces where they have Space or Instance roles).

  • Automatically become space administrators in Dataset spaces with Public and Faculty-only visibility, and in Research and Course spaces with Faculty-only visibility.

  • Invite additional faculty members or organisation managers.

  • Revoke access to organisational resources when necessary.

  • Remove derelict projects.

Space level roles

Every space has one special elevated role: space administrator. Other users access a Space through editor or viewer roles in one or more Instances within that Space.

Space administrators have full administrative control within their space. They can:

• View and edit every instance in the space and take any action in them (related to files, tables, applications).

• Create and delete snapshots.

• Invite users to instances as editors or viewers.

• Create new instances within the space.

• Change space configurations (secrets, quotas, resource mapping if sufficient resource pool roles are available).

Instance level roles

Three roles control access within an Instance:

• Instance Editor

  • Modify the contents of the current state of an instance.

  • Edit instance name and description (except for Master and Distributed instances).

  • Upload and download files.

  • Run applications.

  • Create snapshots of the instance's current state.

  • Distribute to the instance from another location where they are at least Instance Viewers.

• Instance Viewer

  • View the contents of snapshots in the instance,

  • Write queries against data,

  • Distribute from the instance to another location where they are at least Instance Editors.

• Instance Observer - This role exists only in dataset Spaces, where it makes datasets discoverable while keeping their contents access-controlled.

  • View the README.md file at the root of the instance's Workspace files

  • Request viewer roles for the instance

Combined capability summary

The following capabilities are available to each role across the Nuvolos hierarchy. Capabilities are additive - for example, an organisation manager who is also an Instance Editor in a specific Instance has both sets of capabilities.