# Zucms

## Roles

> Category: Access & Security

---

## Pages

- [Introduction](https://docs.zucms.co/introduction)

### API

- [RESTful API](https://docs.zucms.co/api/rest)
- [Typescript SDK](https://docs.zucms.co/api/typescript)

### Getting Started

- [Quick Start](https://docs.zucms.co/getting-started/quick-start)
- [Core Concepts](https://docs.zucms.co/getting-started/core-concepts)

### Models

- [Overview](https://docs.zucms.co/models/overview)
- [Field Types](https://docs.zucms.co/models/field-types)
- [Relations](https://docs.zucms.co/models/relations)

### Content

- [Working with Entries](https://docs.zucms.co/content/working-with-entries)
- [Localization](https://docs.zucms.co/content/localization)

### Access & Security

- [Roles](https://docs.zucms.co/access-security/roles)
- [Access Policies](https://docs.zucms.co/access-security/access-policies)

### Organization

- [Members & Roles](https://docs.zucms.co/organization/members-roles)
- [Audit Log](https://docs.zucms.co/organization/audit-log)
- [Billing & Plans](https://docs.zucms.co/organization/billing-plans)

---

# Roles

Roles control what organization-level actions a member can perform. Every member has exactly one role.

## Built-in roles

### `owner`

Full access. Only the owner can delete the organization.

Permissions:
- Update organization settings
- Delete the organization
- Manage billing
- Invite, remove, and change the role of members
- View members
- Manage API keys

### `admin`

Broad management access, but cannot delete the organization.

Permissions:
- Update organization settings
- Manage billing
- Invite, remove, and change the role of members
- View members
- Manage API keys

### `member`

Read-only access to the member list. No management permissions.

Permissions:
- View members

## Role comparison

| Permission | Owner | Admin | Member |
|---|:---:|:---:|:---:|
| Update organization settings | ✓ | ✓ | — |
| Delete organization | ✓ | — | — |
| Manage billing | ✓ | ✓ | — |
| Invite members | ✓ | ✓ | — |
| Remove members | ✓ | ✓ | — |
| Change member roles | ✓ | ✓ | — |
| View members | ✓ | ✓ | ✓ |
| Manage API keys | ✓ | ✓ | — |

## Assignable roles

- **Owners** can assign `admin` or `member` to others.
- **Admins** can only assign `member`.
- No one can self-assign the `owner` role.

## Content permissions

Roles alone do not control access to the Model Builder or content entries. That is handled by **[Access Policies](/access-security/access-policies)**. Assigning an access policy to a user grants them content-level permissions on top of their role.