Workspace Roles and Permissions
CTFFactory uses a four-tier role model to control what workspace members can see and do. Roles are assigned per workspace β a user may hold different roles in different workspaces.
Role Overview
| Role | Intended For |
|---|---|
| Owner | The workspace creator or a designated successor with full administrative authority |
| Admin | Team leads and operations managers who manage people and workspace settings |
| Member | Practitioners who generate challenges, run CTFs, and deploy infrastructure |
| Viewer | Stakeholders who need read-only access to results, reports, and dashboards |
Permissions Matrix
The table below details every capability and which roles can perform it. A checkmark ( Y ) indicates the role has permission; a dash ( β ) indicates it does not.
| Capability | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Workspace | ||||
| View workspace dashboard | Y | Y | Y | Y |
| Edit workspace name and slug | Y | β | β | β |
| Delete workspace | Y | β | β | β |
| View audit logs | Y | Y | β | β |
| Manage billing and subscription | Y | β | β | β |
| Branding and Domain | ||||
| Upload logo and set brand colors | Y | Y | β | β |
| Add and verify custom domain | Y | Y | β | β |
| Remove custom domain | Y | β | β | β |
| People | ||||
| View member list | Y | Y | Y | β |
| Invite members by email | Y | Y | β | β |
| Change member roles | Y | Y | β | β |
| Remove members | Y | Y | β | β |
| SSO / OIDC | ||||
| Configure OIDC provider | Y | Y | β | β |
| Enable / disable SSO | Y | Y | β | β |
| Challenges | ||||
| Generate challenges (AI) | Y | Y | Y | β |
| Edit generated challenge content | Y | Y | Y | β |
| Delete challenges | Y | Y | Y | β |
| View challenge list | Y | Y | Y | Y |
| CTF Events | ||||
| Create CTF event | Y | Y | Y | β |
| Edit CTF settings | Y | Y | Y | β |
| Deploy CTF | Y | Y | Y | β |
| Stop / tear down CTF | Y | Y | Y | β |
| View CTF details and scoreboard | Y | Y | Y | Y |
| Learning Paths | ||||
| Browse and enroll (personal) | Y | Y | Y | Y |
| Create custom learning path | Y | Y | β | β |
| Edit learning path cards | Y | Y | β | β |
| Publish / unpublish path | Y | Y | β | β |
| Enroll other users in a path | Y | Y | β | β |
| View learner progress | Y | Y | β | β |
| API Keys | ||||
| Create API key (own account) | Y | Y | Y | β |
| View own API keys | Y | Y | Y | β |
| Revoke own API keys | Y | Y | Y | β |
| View all workspace API keys | Y | Y | β | β |
| Revoke any workspace API key | Y | β | β | β |
| Webhooks | ||||
| Register webhook endpoint | Y | Y | β | β |
| Edit webhook configuration | Y | Y | β | β |
| Delete webhook | Y | Y | β | β |
| View webhook delivery log | Y | Y | Y | β |
| Reports and Stats | ||||
| View CTF analytics | Y | Y | Y | Y |
| Export reports | Y | Y | Y | β |
Changing a Member's Role
Roles can be changed by an Owner or Admin from the People page:
- Navigate to Workspace Settings > People.
- Find the member using the search box.
- Click the role badge next to their name to open the role selector.
- Select the new role and confirm.
The change takes effect immediately. The affected member's current session inherits the new permissions without requiring them to log out.
Owner transfer: To transfer ownership, navigate to Workspace Settings > General and use the Transfer Ownership option. The current Owner must confirm via email. There can only be one Owner per workspace.
Viewer Accounts
Viewer accounts are ideal for:
- Executive stakeholders who need access to scoreboards and reports without the ability to modify anything
- External auditors requiring read access to CTF results for compliance purposes
- Client contacts observing a managed CTF event
Viewer accounts do not consume AI credits when accessing the platform.