> ## Documentation Index > Fetch the complete documentation index at: https://docs.openlayer.com/llms.txt > Use this file to discover all available pages before exploring further. # Roles and permissions > Understand the workspace roles in Openlayer and the permissions each role grants. Openlayer uses **role-based access control (RBAC)** to manage what members of a workspace can do. Every workspace member is assigned one of four roles, listed below from most to least permissive. | Role | Description | | --------------------- | ---------------------------------------------------------------------------------- | | **Admin** | Full control over the workspace, its settings, and content. | | **Member** | Can create and modify content but **cannot** manage workspace settings or members. | | **Member Restricted** | Same as Member, but **cannot** view data. | | **Viewer** | Read-only access. Cannot create, modify, or delete anything. | ## When to use each role * **Admin**: workspace owners and administrators who need full control over settings, members, and integrations. * **Member**: engineers and data scientists who create and manage projects, tests, and data. * **Member Restricted**: contractors or external collaborators who need creation capabilities without access to sensitive data. * **Viewer**: stakeholders, executives, or auditors who need visibility without modification rights. ## Permission matrix | Permission | Admin | Member | Member Restricted | Viewer | | -------------------------------------------------- | :---: | :----: | :---------------: | :----: | | **View data** | ✓ | ✓ | ✗ | ✓ | | **Export data** | ✓ | ✓ | ✓ | ✗ | | **Run inference** | ✓ | ✓ | ✓ | ✗ | | **Create projects** | ✓ | ✓ | ✓ | ✗ | | **Update projects** | ✓ | ✗ | ✗ | ✗ | | **Delete projects** | ✓ | ✗ | ✗ | ✗ | | **Create inference pipelines** | ✓ | ✓ | ✓ | ✗ | | **Delete inference pipelines** | ✓ | ✗ | ✗ | ✗ | | **Pause inference pipelines** | ✓ | ✗ | ✗ | ✗ | | **Create frameworks** | ✓ | ✓ | ✓ | ✗ | | **Update frameworks** | ✓ | ✗ | ✗ | ✗ | | **Delete frameworks** | ✓ | ✗ | ✗ | ✗ | | **Create rules / rule tags** | ✓ | ✓ | ✓ | ✗ | | **Update rules / rule tags** | ✓ | ✗ | ✗ | ✗ | | **Delete rules / rule tags** | ✓ | ✗ | ✗ | ✗ | | **Create goals (tests)** | ✓ | ✓ | ✓ | ✗ | | **Update goals** | ✓ | ✓ | ✓ | ✗ | | **Create commits** | ✓ | ✓ | ✓ | ✗ | | **Create comments** | ✓ | ✓ | ✓ | ✗ | | **Create / update / delete environment variables** | ✓ | ✗ | ✗ | ✗ | | **View environment variables** | ✓ | ✓ | ✓ | ✓ | | **Create / update / delete access groups** | ✓ | ✗ | ✗ | ✗ | | **View access groups** | ✓ | ✓ | ✓ | ✓ | | **Invite members** | ✓ | ✗ | ✗ | ✗ | | **Remove members** | ✓ | ✗ | ✗ | ✗ | | **Update member roles** | ✓ | ✗ | ✗ | ✗ | | **Update workspace** | ✓ | ✗ | ✗ | ✗ | | **Delete workspace** | ✓ | ✗ | ✗ | ✗ | | **Manage SAML SSO** | ✓ | ✗ | ✗ | ✗ | | **Connect Slack** | ✓ | ✗ | ✗ | ✗ | | **View billing** | ✓ | ✗ | ✗ | ✗ | | **View metric settings** | ✓ | ✓ | ✓ | ✓ | | **View LLM evaluator** | ✓ | ✓ | ✓ | ✓ | | **View notification settings** | ✓ | ✗ | ✗ | ✓ | ## FAQ Yes. Permissions are enforced at both the workspace and project levels. [Access groups](/security/access-groups) can provide additional project-level control. Yes. Project owners have full permissions for their projects, regardless of their workspace role. Yes. Member Restricted users cannot view data directly, but they can still export data and run inference, which may expose data indirectly. Keep this in mind when assigning this role.