# Roles & Permissions (/docs/organizations/roles)



Layers has **three organization-level roles**. There is no separate
project-level role model today — access to a project flows from your
organization membership.

## Roles [#roles]

| Role     | Description                                                           |
| -------- | --------------------------------------------------------------------- |
| `owner`  | Full admin capabilities; set automatically on organization creation.  |
| `admin`  | Full admin capabilities equivalent to owner for day-to-day workflows. |
| `member` | Standard access.                                                      |

`owner` and `admin` are both treated as "org admin" by the backend
(`is_org_admin` RPC) and are the roles allowed to manage API keys, billing,
and members.

## Capability summary [#capability-summary]

| Capability                   | Owner | Admin | Member |
| ---------------------------- | :---: | :---: | :----: |
| Manage members               |  Yes  |  Yes  |   No   |
| Manage billing & wallet      |  Yes  |  Yes  |   No   |
| Create / revoke API keys     |  Yes  |  Yes  |   No   |
| Create projects              |  Yes  |  Yes  |   Yes  |
| Open any project in the org  |  Yes  |  Yes  |   Yes  |
| Edit project settings        |  Yes  |  Yes  |   Yes  |
| Connect social / ad accounts |  Yes  |  Yes  |   Yes  |
| View dashboards & reports    |  Yes  |  Yes  |   Yes  |

Enterprise-grade role customization (custom roles, per-project viewer
scopes, SSO group mapping) is not yet available. Contact Layers if you
need a fine-grained permission model.