> ## Documentation Index
> Fetch the complete documentation index at: https://docs.agentflow.live/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles & Permissions

> Understanding user roles and permission management

# Roles & Permissions

**Control what team members can do in your organization.**

## Role Hierarchy

```
Owner (Full Control)
  ↓
Admin (Management)
  ↓
Guest (Default)
```

## Role Comparison

<Tabs>
  <Tab title="Owner">
    **Full organizational control**

    ✅ Can do:

    * Everything Admins can do
    * Manage billing and subscriptions
    * Transfer ownership
    * Delete organization
    * View all usage and costs
    * Configure SSO (Enterprise)

    **Limit:** 1-2 per organization recommended
  </Tab>

  <Tab title="Admin">
    **Team and connection management**

    ✅ Can do:

    * Connect AI endpoints
    * Manage groups and access control
    * Invite and remove members (except Owners)
    * View organization analytics
    * Configure organization settings

    ❌ Cannot:

    * Manage billing
    * Delete organization
    * Change Owner role
  </Tab>

  <Tab title="Guest">
    **Default user access**

    ✅ Can do:

    * Use AI connections assigned to their groups
    * Start and participate in conversations
    * View own conversation history
    * Provide message feedback (like/dislike/comment)

    ❌ Cannot:

    * Connect new AI endpoints
    * Create or manage groups
    * Invite others
    * Access admin panel
    * View organization settings
  </Tab>
</Tabs>

## Permission Matrix

| Permission                  | Owner | Admin       | Guest          |
| --------------------------- | ----- | ----------- | -------------- |
| Connect AI endpoints        | ✅     | ✅           | ❌              |
| Manage groups               | ✅     | ✅           | ❌              |
| Invite members              | ✅     | ✅           | ❌              |
| Remove members              | ✅     | Below Admin | ❌              |
| View organization analytics | ✅     | ✅           | ❌              |
| Use AI connections          | ✅     | ✅           | ✅ (via groups) |
| Manage billing              | ✅     | ❌           | ❌              |
| Delete organization         | ✅     | ❌           | ❌              |

## Groups & Access Control

AgentFlow uses groups to control access to AI connections:

**How Groups Work:**

1. Admins/Owners create groups (e.g., "Marketing Team", "Support Team")
2. AI connections are assigned to groups
3. Users are added to groups
4. Users can only access AI connections in their groups

**Example: "Marketing Team" Group**

* Contains: Content writing AI, social media AI
* Members: Marketing staff (guest role)
* Can: Use assigned AI connections for marketing tasks

**Example: "Engineering Team" Group**

* Contains: Code assistant AI, documentation AI
* Members: Developers (guest role)
* Can: Use assigned AI connections for development tasks

## Changing Roles

<Steps>
  <Step title="Navigate to Team">
    Organization → Team Members
  </Step>

  <Step title="Find Member">
    Search or scroll to find team member
  </Step>

  <Step title="Change Role">
    Click role dropdown → Select new role
  </Step>

  <Step title="Confirm">
    Confirm role change (immediate effect)
  </Step>
</Steps>

<Warning>
  Role changes take effect immediately. The user's current session continues but with new permissions.
</Warning>

## Best Practices

<AccordionGroup>
  <Accordion title="Principle of Least Privilege" icon="shield-halved">
    Grant minimum permissions needed:

    * All users default to Guest role
    * Upgrade to Admin only when they need to manage AI connections or users
    * Limit Owners to 1-2 trusted people
  </Accordion>

  <Accordion title="Separate Duties" icon="users-gear">
    * Owners: Strategic decisions, billing, organization management
    * Admins: AI connection management, user management, group configuration
    * Guests: Use AI connections, participate in conversations
  </Accordion>

  <Accordion title="Use Groups for Access Control" icon="users-rectangle">
    * Create groups based on teams or use cases
    * Assign AI connections to groups
    * Add users to appropriate groups
    * Review group memberships regularly
  </Accordion>

  <Accordion title="Regular Audits" icon="clipboard-check">
    * Monthly: Review active members and group assignments
    * Quarterly: Audit role assignments and AI connection access
    * Remove access immediately when members leave
  </Accordion>
</AccordionGroup>

<Card title="Next: Managing Members" href="/organization/managing-members">
  Learn how to manage your team members
</Card>
