#RBAC & Drift

Two cross-cutting controls govern who can touch the fleet and how the graph stays honest:

• RBAC — a fixed role-to-permission matrix that gates every project-scoped route. A caller's project role (owner, admin, member, viewer) decides which permission strings they hold, and each route demands a specific one.
• Drift events — an internal reconciler that periodically compares an entity's stored properties against what it observes in a configured source and records each divergence as a drift_events row for an operator to resolve.

This pocket is the lookup reference for both. For the task-oriented walkthroughs, see the How-To pocket.

#How they relate

RBAC and drift meet at the resolution step. Detecting drift is automatic and needs no caller; resolving it is a write to the catalog, so the resolution endpoints (accept, reapply, snooze) are gated by the same RBAC matrix as any other data write:

• Reading drift events requires data:read — held by every role, down to viewer.
• Accepting, reapplying, or snoozing a drift event requires data:write — held by member and above.

Neither path mutates real infrastructure. Accepting a drift event writes the observed value into Terrantula's own catalog; it never runs terraform apply. Pushing the catalog value back out to infrastructure flows through Actions → pull requests → your CI, exactly as every other change does.

#Pages

• RBAC roles & permissions — the role-to-permission matrix, the permission-string vocabulary, and how requirePermission / requireMethodPermission gate routes.
• Drift events — the drift_events schema, event lifecycle, reconciler behavior, and the API/SDK surface.

#Related

• API Reference — every route with its required permission.
• Catalog Schema Reference — the kinds RBAC gates.
• Triggers, GitHub App, Actions & Webhooks — how resolution intent reaches infrastructure (Actions open PRs).
• Cross-source drift how-to — the external-source reconciliation flow.