checkly · sbezludny · Dec 9, 2025 · Dec 8, 2025 · Dec 8, 2025 · Dec 9, 2025
diff --git a/admin/creating-api-key.mdx b/admin/creating-api-key.mdx
@@ -41,7 +41,12 @@ Service API keys are specific to one account and are not tied to a user. This me
 Service API keys are available on the [Enterprise plan](https://www.checklyhq.com/pricing/) only
 </Note>
 
-Service API keys allow you to set a role access level on the key itself, e.g. "read only", "admin" etc. 
+Service API keys allow you to set a role access level on the key itself. Available roles are:
+
+- **Admin** - Full access to create, update, and delete resources.
+- **Read & Write** - Can create, update, and delete checks, alert settings, and maintenance windows.
+- **Read & Run** - Can view all resources and trigger checks and tests, but cannot create, edit, or delete. Ideal for CI/CD pipelines that only need to run tests.
+- **Read Only** - View-only access to all resources.
 
 Prime use cases for service API keys are:
 

diff --git a/admin/team-management/overview.mdx b/admin/team-management/overview.mdx
@@ -8,26 +8,33 @@ This section covers all aspects of administering your Checkly account, from mana
 
 ## Team Member Roles
 
-When inviting a team member to join your account you can assign one of four roles that all have different access patterns.
-
-1. **Owner**
-    - Can change the team name.
-2. **Admin**
-    - Can invite, edit and remove other team members.
-    - Can change the account settings.
-3. **Read & Write**
-    - Can create, update and delete checks.
-    - Can create, update and delete alert settings of individual checks.
-    - Can create, update and delete maintenance windows.
-4. **Read Only**
-    - Look, no touch.
-
-Only the initial account creator has the **Owner** role. You can always change any assigned roles after a teammate has
-joined your team.
-
-<Info>
-Roles are staggered, so any role higher up the totem pole has all the rights of the roles below him/her.
-</Info>
+When inviting a team member to join your account you can assign one of five roles: **Owner**, **Admin**, **Read & Write**, **Read & Run**, or **Read Only**. Each role inherits all permissions from the roles below it.
+
+Only the initial account creator has the Owner role. You can change assigned roles at any time after a teammate joins.
+
+| Capability | Owner | Admin | Read & Write | Read & Run | Read Only |
+|------------|:-----:|:-----:|:------------:|:----------:|:---------:|
+| View all resources | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Trigger checks and tests | ✓ | ✓ | ✓ | ✓ | ✗ |
+| Create/edit/delete checks | ✓ | ✓ | ✓ | ✗ | ✗ |
+| Manage alert settings | ✓ | ✓ | ✓ | ✗ | ✗ |
+| Manage maintenance windows | ✓ | ✓ | ✓ | ✗ | ✗ |
+| Access locked variables | ✓ | ✓ | ✓ | ✗ | ✗ |
+| Manage team members | ✓ | ✓ | ✗ | ✗ | ✗ |
+| Manage account settings | ✓ | ✓ | ✗ | ✗ | ✗ |
+| Manage Private Locations | ✓ | ✓ | ✗ | ✗ | ✗ |
+| Create service API keys | ✓ | ✓ | ✗ | ✗ | ✗ |
+| Transfer ownership | ✓ | ✗ | ✗ | ✗ | ✗ |
+
+### Choosing the Right Role
+
+| Role | Best for |
+|------|----------|
+| **Owner** | Account creator with full control over billing and ownership |
+| **Admin** | Team leads who manage members, settings, and infrastructure |
+| **Read & Write** | Developers who create and maintain checks |
+| **Read & Run** | QA engineers or CI/CD pipelines that run tests but shouldn't modify configuration |
+| **Read Only** | Stakeholders who need visibility into monitoring status |
 
 ### Adding Team Members
 

diff --git a/platform/private-locations/overview.mdx b/platform/private-locations/overview.mdx
@@ -9,7 +9,7 @@ sidebarTitle: 'Overview'
 </Tip>
 
 <Note>
-Private Locations require **Owner** or **Admin** permissions to create and manage.
+**Owner** or **Admin** permissions are required to create, edit, and delete Private Locations. All other roles can view Private Locations and assign checks to them.
 </Note>
 
 Private Locations enable you to run Checkly monitoring from within your own infrastructure. By deploying a lightweight Checkly Agent, you can monitor internal systems, test from specific geographic locations, and maintain complete control over your monitoring environment.

diff --git a/platform/variables.mdx b/platform/variables.mdx
@@ -67,7 +67,7 @@ Store variables at the global level whenever possible to follow the DRY (Don't R
 
 By default, all variables are stored as string values. 
 
-When using variables, you can click the lock icon to hide the value. Any data you “lock” is encrypted at rest and in flight on our back end and is only decrypted when needed. Locked environment variables can only be accessed by team members with [Read & Write access](/admin/team-management/overview/) or above.
+When using variables, you can click the lock icon to hide the value. Any data you "lock" is encrypted at rest and in flight on our back end and is only decrypted when needed. Locked environment variables can only be accessed by team members with [Read & Write, Admin, or Owner roles](/admin/team-management/overview/).
 
 Secrets are never visible for any user and are always encrypted.
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,7 +9,7 @@ sidebarTitle: 'Overview' @@
     </Tip>
     <Note>
-    Private Locations require **Owner** or **Admin** permissions to create and manage.
+    **Owner** or **Admin** permissions are required to create, edit, and delete Private Locations. All other roles can view Private Locations and assign checks to them.
     </Note>
     Private Locations enable you to run Checkly monitoring from within your own infrastructure. By deploying a lightweight Checkly Agent, you can monitor internal systems, test from specific geographic locations, and maintain complete control over your monitoring environment.
@@ Expand Down @@