User Roles and Permissions

CVAT implements a comprehensive role-based access control (RBAC) system with two distinct types of roles:

• Global Roles: System-wide roles that apply to all users across the entire CVAT instance
• Organization Roles: Context-specific roles that determine permissions within an organization

​

Global Roles

Global roles determine base-level permissions for users across the entire CVAT platform.

​

Administrator

Privilege Level: Highest Administrators have unrestricted access to the entire CVAT instance:

• View and manage all tasks, projects, and jobs
• Access all organizations and resources
• Modify system-wide settings
• Manage all users and permissions

​

User (Default)

Privilege Level: Standard The default role assigned to all registered users:

• Create and manage their own tasks and projects
• Collaborate within organizations they’re invited to
• Access resources in their personal workspace
• Subject to subscription plan limits on CVAT Cloud

​

Worker

Privilege Level: Limited Workers have restricted permissions focused on annotation work:

• Cannot create tasks or projects
• Cannot assign roles or perform administrative actions
• Can only view and annotate jobs assigned to them
• Limited to annotation and validation activities

​

Organization Roles

Organization roles provide fine-grained access control within CVAT Organizations. These roles determine what actions users can perform on organization resources.

​

Owner

Access Level: Full control The creator of an organization is automatically assigned the Owner role: Permissions:

• All capabilities of Maintainer role
• Delete the organization
• Transfer organization ownership (future feature)
• Maximum capabilities within the organization
• Only limited by subscription plan restrictions

Restrictions:

• Role cannot be changed or reassigned to another user
• Only one Owner per organization

Code Reference: cvat/apps/organizations/models.py:42

​

Maintainer

Access Level: Administrative Maintainers have broad administrative capabilities: Permissions:

• Invite users to the organization
• Create, update, and delete projects and tasks
• View all tasks and projects in the organization
• Manage cloud storage connections
• Change member roles (except Owner)
• Remove members (except Owner and other Maintainers)
• Full access to organization settings

Code Reference: cvat/apps/organizations/rules/memberships.rego:88-100

​

Supervisor

Access Level: Project management Supervisors manage projects and task assignments: Permissions:

• Create projects and tasks within the organization
• Assign jobs to organization members
• Manage project and task settings
• View and manage assigned resources

Restrictions:

• Cannot invite new members
• Cannot modify member roles
• Cannot access all organization tasks (only assigned ones)

Code Reference: cvat/apps/engine/rules/projects.rego:76-77

​

Worker

Access Level: Task execution Workers focus on annotation and validation work: Permissions:

• View and annotate jobs assigned to them
• Import and export annotations for assigned jobs
• Update job status and stage
• Report issues on assigned jobs

Restrictions:

• Cannot create projects or tasks
• Cannot assign jobs to others
• Cannot view unassigned organization resources
• Cannot modify organization settings
• Cannot invite or manage members

Code Reference: cvat/apps/organizations/models.py:39

​

Permission Matrix

The following table shows key permissions for each organization role: ^{*Maintainers cannot modify Owner or other Maintainer roles
**Workers can only export annotations for assigned jobs}

​

Job Stages

Any team member can be assigned to a job with a specific stage:

​

Annotation Stage

Provides access to annotation tools:

• Create and edit annotations
• Use all annotation tools (shapes, polygons, etc.)
• Cannot report issues by default

​

Validation Stage

Grants access to QA tools:

• Review annotations
• Report issues and errors
• Cannot edit annotations by default

​

Acceptance Stage

Marks the job as completed:

• No additional access granted
• Indicates final approval of work

​

Permission Implementation

CVAT uses Open Policy Agent (OPA) for permission evaluation:

1. Policy Files: Permissions are defined in .rego files:
   • cvat/apps/iam/rules/utils.rego - Core permission utilities
   • cvat/apps/organizations/rules/organizations.rego - Organization permissions
   • cvat/apps/organizations/rules/memberships.rego - Member management
   • cvat/apps/engine/rules/jobs.rego - Job-level permissions
   • cvat/apps/engine/rules/projects.rego - Project-level permissions
2. Role Priority: Roles have numerical priority (lower = higher privilege):
   • Owner: 0
   • Maintainer: 50
   • Supervisor: 75
   • Worker: 100
3. Context: Permissions are evaluated based on:
   • User’s global role
   • User’s organization role
   • Resource ownership
   • Resource organization membership

​

Role Assignment

​

Global Roles

Global roles are assigned:

• User: Automatically assigned on registration
• Worker: Manually assigned by administrators (self-hosted only)
• Administrator: Manually assigned during setup (self-hosted only)

​

Organization Roles

Organization roles are assigned:

• Owner: Automatically assigned to organization creator
• Maintainer, Supervisor, Worker: Assigned during member invitation

​

Best Practices

​

Related Resources

• Organizations - Learn how to create and manage organizations
• Subscription Plans - Understand plan limitations
• Managing Projects - Learn about project management
• OPA Documentation - Learn about policy language