# Assigning Roles to Users

System administrator staff can assign specific roles to each user in an organization. VGS supports organization-level roles and vault-level roles to ensure appropriate separation of duties throughout an enterprise. This article explains the specific permissions that are available to each role.

### Organization Roles

* **Admin**: Users with full access to the Organization and its resources, including sensitive and destructive actions like managing and deleting vaults and applications.
* **User**: Users who actively work on Organization resources (Vaults).

Below is a detailed table of the permissions each user may have access to based on their Organization-level role:

| Organization action                                         | User | Admin |
| ----------------------------------------------------------- | ---- | ----- |
| View Organization details                                   | ✓    | ✓     |
| View my resources (Vaults)                                  |      | ✓     |
| Create new resources (Vaults)                               |      | ✓     |
| Manage resource users (add, edit roles, revoke access)      |      | ✓     |
| View own permissions on resources                           |      | ✓     |
| Update Organization details (Org name)                      |      | ✓     |
| Manage Organization users (invite, edit roles, remove)      |      | ✓     |
| Manage (view, create, delete) service accounts via CLI tool |      | ✓     |
| Manage authentication settings (SSO, MFA)                   |      | ✓     |
| Activate Organization                                       |      | ✓     |
| View Usage Reports                                          |      | ✓     |

### Vault Roles

* **Admin**: Users with full administrative access to the vault and its routes, including permissions to delete the vaults and its routes.
* **Write**: Users with write access to vault settings and routes.
* **Read**: Users with view access to vault settings and routes.

Below is a detailed table of the permissions each user may have access to based on their Vault-level role:

| Vault action                                                                   | Read | Write | Admin |
| ------------------------------------------------------------------------------ | ---- | ----- | ----- |
| View list of Vaults                                                            | ✓    | ✓     | ✓     |
| View list of Routes                                                            | ✓    | ✓     | ✓     |
| Create, edit and remove Routes                                                 |      | ✓     | ✓     |
| <p>Manage Vault Settings<br>(Access Credential, mTLS, CNames, Preferences)</p> |      |       | ✓     |
| View Logs                                                                      | ✓    | ✓     | ✓     |
| View Developer Resources                                                       | ✓    | ✓     | ✓     |
| View Integration templates                                                     | ✓    | ✓     | ✓     |
| Apply integration template to a Route                                          |      | ✓     | ✓     |
| Manage Vault users (add, edit permissions, remove from Vault)                  |      |       | ✓     |