Roles & Permissions
A detailed breakdown of what each role can do in CPI Studio.
Roles Overview
| Feature / Action | Viewer | Developer | Admin |
|---|---|---|---|
| Assets | |||
| View packages & iFlows | ✓ | ✓ | ✓ |
| Download iFlow zip | ✓ | ✓ | ✓ |
| Deploy / Undeploy iFlow | ✗ | ✓ | ✓ |
| Script Editor | |||
| View scripts (read-only) | ✓ | ✓ | ✓ |
| Edit & save scripts | ✗ | ✓ | ✓ |
| AI Assistant | ✗ | ✓ | ✓ |
| Message Logs | |||
| View logs | ✓ | ✓ | ✓ |
| Retry failed messages | ✗ | ✓ | ✓ |
| Export CSV | ✓ | ✓ | ✓ |
| Runtime | |||
| View runtime status | ✓ | ✓ | ✓ |
| Start / Stop iFlows | ✗ | ✓ | ✓ |
| Landscape | |||
| Compare versions | ✓ | ✓ | ✓ |
| Promote iFlows | ✗ | ✓ | ✓ |
| Settings | |||
| View tenant profiles | ✗ | ✓ | ✓ |
| Add / edit tenant profiles | ✗ | ✗ | ✓ |
| View audit log | ✗ | ✗ | ✓ |
| Manage license key | ✗ | ✗ | ✓ |
Assigning Roles
Roles are assigned via BTP Role Collections (when XSUAA is configured) or through the local user management in Settings when running without XSUAA.
See BTP / XSUAA for details on Role Collection assignment.
Tip: Give business users and auditors the Viewer role — they can read logs and check runtime status without any risk of modifying content.
Break-Glass Admin Account
The break-glass account is an emergency admin that can log in even when SSO is misconfigured, XSUAA is unreachable, or the normal admin user has been accidentally deleted. It is a standard pattern in enterprise software (equivalent to AWS root, SAP client 000 superuser, etc.).
How to Configure
Set two CF environment variables and restage:
cf set-env cpi-developer-studio SUPERUSER_USERNAME admin
cf set-env cpi-developer-studio SUPERUSER_PASSWORD 'YourStrongPassword!'
cf restage cpi-developer-studioOnce set, you can log in at /auth/login with those credentials. The account always has the Admin role regardless of any Role Collection or users.json configuration.
Security Properties
| Property | Behaviour |
|---|---|
| Password storage | Hashed with bcrypt at app startup — never stored or logged as plaintext |
| Visibility | Does not appear in the user management list — cannot be deleted or modified via the UI |
| Scope | Only active when both env vars are set; remove either to disable the account entirely |
| Precedence | Checked before users.json — takes effect even if the username also exists as a local user |
| Audit trail | All actions taken while logged in as the superuser appear in the audit log under that username |
⚠️ Choose a strong, unique password per deployment — do not reuse the same credentials across customer instances. Rotate the password by updating the env var and restaging. Remove both env vars entirely if you no longer need the break-glass account.
Disabling the Account
cf unset-env cpi-developer-studio SUPERUSER_USERNAME
cf unset-env cpi-developer-studio SUPERUSER_PASSWORD
cf restage cpi-developer-studio