# Roles
A role definition is a collection of permissions. It's typically just called a role. A role definition lists the actions that can be performed, such as read, write, and delete. Roles can be high-level, like "Owner", or specific, like "Read Only User" .
| Name | Description |
| -------------- | ------------------------------------------------------------------------------ |
| Owner | Owner and creator of the organization. |
| Administrator | Administrator of the organization. They are designated as such by the "Owner". |
| Operator | Developer or technician of the organization. |
| Helpdesk | Support role on projects. |
| Standard User | Invited to work on a project by the organization. |
| Read Only User | Simple observer of the organization's technical activities on the platform. |
### List of entities impacted by roles
| Entity | Description |
| ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Organization | Major entity of the application. |
| User | This is the user entity. It acts more as a subject than an object. It is the one that will be queried to determine if it has the right to access other entity-objects. |
| Project | Framework for all the work within an organization. An organization can have multiple projects. |
| Blueprint | Workspace within a project. A project can have multiple blueprints. |
### List of rights by object entity (also called Namespace)
Each namespace has different access rights to its functionalities. It's important to know that there are two types of rights: Those that encompass an organization and those that are specific to a project and/or a blueprint.
The rights of the Project and Blueprint namespaces are of the latter. This allows targeting a project for a person invited to work on a specific project and prevents them from accessing others.
#### Organization
| Name | Description |
| ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| access\_org | Access the organization (this is not about reading, but access from a code perspective - e.g., A person who can only access one project of the organization must still have access to some organization code calls). |
| read\_org | Read access to the organization. |
| edit\_org | Edit the organization (This does not involve administrative changes). |
| administrate\_org | Administer the organization (Role assignment - modification of organization information). |
| delete\_org | Delete the organization (The default organization cannot be deleted). |
| read\_project | Read access to the organization's projects. |
| create\_project | Create a new project within the organization. |
| edit\_project | Make modifications to a project. |
| delete\_project | Delete a project. |
| share\_project | Share a project. |
| read\_blueprint | Read access to the blueprints of the organization's projects. |
| create\_blueprint | Create a blueprint within a project. |
| edit\_blueprint | Modify a blueprint. |
| delete\_blueprint | Delete a blueprint. |
| deploy\_blueprint | Deploy a blueprint. |
| revert\_blueprint | Revert to a previous version of the blueprint. |
| share\_blueprint | Share a blueprint. |
#### Project
| Name | Description |
| ----------------- | ----------------------------------------- |
| read | Read access to a specific project. |
| create\_blueprint | Create a blueprint in a specific project. |
| edit | Modify a specific project. |
| delete | Delete a specific project. |
#### Blueprint
| Name | Description |
| ------ | ----------------------------------------------------- |
| read | Read access to a specific blueprint. |
| edit | Modify a specific blueprint. |
| delete | Delete a specific blueprint. |
| share | Share a specific blueprint. |
| revert | Revert to a previous version of a specific blueprint. |
| deploy | Deploy a specific blueprint. |
## Who can do what?
### Organization
| access\_org | read\_org | edit\_org | delete\_org | administrate\_org |
| -------------- | -------------- | -------------- | -------------- | ----------------- |
| owners | owners | owners | owners | owners |
| administrators | administrators | administrators | administrators | |
| operators | operators | operators | | |
| helpdesks | | | | |
| standartUsers | | | | |
| readonlyUsers | readonlyUsers | | | |
| read\_project | create\_project | edit\_project | delete\_project | share\_project |
| -------------- | --------------- | -------------- | --------------- | -------------- |
| owners | owners | owners | owners | owners |
| administrators | administrators | administrators | administrators | administrators |
| operators | operators | operators | operators | operators |
| readonlyUsers | | | | |
| read\_blueprint | create\_blueprint | edit\_blueprint | delete\_blueprint | deploy\_blueprint | revert\_blueprint | share\_blueprint |
| --------------- | ----------------- | --------------- | ----------------- | ----------------- | ----------------- | ---------------- |
| owners | owners | owners | owners | owners | owners | owners |
| administrators | administrators | administrators | administrators | administrators | administrators | administrators |
| operators | operators | operators | operators | operators | operators | operators |
| readonlyUsers | | | | | | |
### Project
| read | create\_blueprint | edit | delete | share |
| ------------- | ----------------- | ------------- | ------------- | ------------- |
| helpdesks | helpdesks | | | |
| standardUsers | standardUsers | standardUsers | standardUsers | standardUsers |
### Blueprint
| read | edit | delete | share | deploy | revert |
| ------------- | ------------- | ------------- | ------------- | ------------- | ------------- |
| helpdesks | helpdesks | | | | |
| standardUsers | standardUsers | standardUsers | standardUsers | standardUsers | standardUsers |