# Assigning Roles to Users

System administrator staff can assign specific roles to each user in an organization. VGS supports organization-level roles and vault-level roles to ensure appropriate separation of duties throughout an enterprise. This article explains the specific permissions that are available to each role.

### Organization Roles

* **Admin**: Users with full access to the Organization and its resources, including sensitive and destructive actions like managing and deleting vaults and applications.
* **User**: Users who actively work on Organization resources (Vaults).

Below is a detailed table of the permissions each user may have access to based on their Organization-level role:

| Organization action                                         | User | Admin |
| ----------------------------------------------------------- | ---- | ----- |
| View Organization details                                   | ✓    | ✓     |
| View my resources (Vaults)                                  |      | ✓     |
| Create new resources (Vaults)                               |      | ✓     |
| Manage resource users (add, edit roles, revoke access)      |      | ✓     |
| View own permissions on resources                           |      | ✓     |
| Update Organization details (Org name)                      |      | ✓     |
| Manage Organization users (invite, edit roles, remove)      |      | ✓     |
| Manage (view, create, delete) service accounts via CLI tool |      | ✓     |
| Manage authentication settings (SSO, MFA)                   |      | ✓     |
| Activate Organization                                       |      | ✓     |
| View Usage Reports                                          |      | ✓     |

### Vault Roles

* **Admin**: Users with full administrative access to the vault and its routes, including permissions to delete the vaults and its routes.
* **Write**: Users with write access to vault settings and routes.
* **Read**: Users with view access to vault settings and routes.

Below is a detailed table of the permissions each user may have access to based on their Vault-level role:

| Vault action                                                                   | Read | Write | Admin |
| ------------------------------------------------------------------------------ | ---- | ----- | ----- |
| View list of Vaults                                                            | ✓    | ✓     | ✓     |
| View list of Routes                                                            | ✓    | ✓     | ✓     |
| Create, edit and remove Routes                                                 |      | ✓     | ✓     |
| <p>Manage Vault Settings<br>(Access Credential, mTLS, CNames, Preferences)</p> |      |       | ✓     |
| View Logs                                                                      | ✓    | ✓     | ✓     |
| View Developer Resources                                                       | ✓    | ✓     | ✓     |
| View Integration templates                                                     | ✓    | ✓     | ✓     |
| Apply integration template to a Route                                          |      | ✓     | ✓     |
| Manage Vault users (add, edit permissions, remove from Vault)                  |      |       | ✓     |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.verygoodsecurity.com/enterprise-platform/access-management/manage-users/assigning-roles-to-users.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.