# Access roles

### Default access roles

In order to help you get up and running with multiple users, there are multiple default (managed) access roles that can be used without having to create a custom access role.

The table gives a description of what each role does and how it can be used. 

<table><thead><tr><th width="208">Role name</th><th>Description</th></tr></thead><tbody><tr><td>AI Employees Viewer</td><td>This role grants read-only access to view AI employees in your workspaces. </td></tr><tr><td>AI Employees Admin</td><td>This roles grants full access to create, edit and delete AI Employees in your workspaces. </td></tr><tr><td>Knowledge Base Viewer</td><td>This role grants read-only access to view Knowledge Base resources. </td></tr><tr><td>Knowledge Base Admin</td><td>This role grants full access to create, edit and delete Knowledge Base resources. </td></tr><tr><td>Application Developer</td><td>This role allows a user to manage all applications in the Developer section. It also gives you the same level of access as the Campaigns Admin, Templates Admin, Flows Admin, and Audience Admin roles.</td></tr><tr><td>Audience Admin</td><td>This role allows a user to access and manage audiences. This includes editing existing segments, contacts, and suppressions, creating new ones, and importing and exporting contacts.</td></tr><tr><td>Analytics Admin</td><td>This role allows a user to access and manage analytics and insights. This includes performance reports, subscriber growth, and insights per channel.</td></tr><tr><td>Campaigns Admin</td><td>This role allows a user to access and manage all things related to your marketing campaigns, including existing marketing content.</td></tr><tr><td>Flows Admin</td><td>This role allows a user to access, create, and manage flows in your organization. Because Flows uses many other Bird products to function, we recommend that you combine this role with other useful roles, such as Templates Viewer.</td></tr><tr><td>Templates Admin</td><td>This role allows a user to access and manage all Marketing content. This includes editing and create templates and translation files.</td></tr><tr><td>Templates Viewer</td><td>This role allows a user read-only access to Marketing content. It is often useful in combination with other roles, like Flows Admin.</td></tr><tr><td>Inbox Agent</td><td><p>This role can be used for users that are agents within Inbox AI. This role grants access to the Inbox product alongside the content within the channels configured in Inbox across all workspaces. </p><p></p><p>It does not allow access to configure organization or workspace settings including channel management, billing, security, etc. </p></td></tr><tr><td>CX Manager</td><td>This role grants the same access as the Inbox Agent role however also gives access to Reporting in Inbox. </td></tr><tr><td>Organization Owner</td><td><p>This is the most privileged role in the organization. It can view all content and settings across the organization and alter any settings. It can add and remove users, update security and billing settings and manage all aspects of channels, workspaces, etc. </p><p></p><p>This role should be allocated to the initial user setting up the organization alongside a limited number of trusted individuals who may need to alter any settings or configurations across the organization. </p></td></tr><tr><td>Organization Admin</td><td>This role grants full access to all Organization resources. This includes adding users and managing permissions and billing related settings. It does not however grant any access to any workspaces and would need to be combined with an additional role to provide workspace access. Note that although this role does not grant any access to workspaces, it does have the ability to modify permissions and grant any user any permissions in the organization. </td></tr><tr><td>Organization Viewer</td><td>This role grants read-only access to all Organization resources. This gives the user the ability to view organization settings such as users, security settings and billing. It does not provide any access to workspaces or the ability to modify permissions.</td></tr><tr><td>Workspace Owner</td><td><p>This role can be used to give a user access to all workspaces and allow them to manage all aspects of a workspace including managing campaigns, channels, contacts, etc. It also gives access to all content within the organization. </p><p></p><p>It does not allow access to organizational level features such as user management, billing, and overall workspace management (e.g. adding and removing workspaces). </p></td></tr><tr><td>Payments Manager</td><td>This role grants full access payments related endpoints and allows you to manage all features of payments within your workspaces. </td></tr><tr><td>SCIM Client</td><td>For customers that want to automatically provision their users from a central identity provider, this role is necessary to enable the SCIM protocol to communicate with your organization. Further instructions are available under the <a href="single-sign-on-sso">SSO section</a> of the docs. </td></tr><tr><td>Support Access</td><td>Provides access to raise, view and manage Support Cases. This role is best used in conjunction with another role as it does not provide any other access to the platform.</td></tr><tr><td>Tasks Viewer</td><td>This role grants read-only access to view tasks.</td></tr><tr><td>Tasks Admin</td><td>This role gives the ability to manage all tasks in your workspaces. </td></tr><tr><td>Visitor</td><td>This is an internal role which is not designed for direct customer use. </td></tr><tr><td>Chat Widget</td><td>This is an internal role which is not designed for direct customer use. </td></tr></tbody></table>

### Custom access roles

{% hint style="info" %}
Assign [access policies](https://docs.bird.com/applications/settings/account/organization-settings/access-policies) to create access roles, then assign roles to users.
{% endhint %}

Access roles are a way to assign specific access permissions to [users](https://docs.bird.com/applications/settings/account/organization-settings/users) within the MessageBird environment. An access role is a collection of access policies that are grouped together to define a specific set of permissions.&#x20;

For example, you might create an access role called "Marketing Manager" that includes access policies allowing access to [Campaigns](https://docs.bird.com/applications/campaigns/campaigns).

Access roles allow you to control who has access to what data and functions within your organization's MessageBird environment. They are particularly useful when you have a large number of users who require varying levels of access to different areas of the software.

Assign access roles to users when you invite them, or edit a users' profile to add or change their access role.

<div align="left"><figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2FcyeIDnZaYIi9zxRr48yW%2FGeneral%20settings%20(1).png?alt=media&#x26;token=f3aee150-9c63-429e-b217-ca95faec0c20" alt=""><figcaption></figcaption></figure></div>

## Create an access role

1. Go to your **Organization Settings** and click **Access roles**.
2. Click the **Create new role** button.
3. Under "General", enter a role name and a role description.
4. Under "Policy", select the policy type (either '[Managed](https://docs.bird.com/applications/settings/account/access-policies#managed-access-policies)' for MessageBird-created policies, or '[Organization](https://docs.bird.com/applications/settings/account/access-policies#custom-access-policies)' for custom policies) from the "Type" drop-down.
5. From the "Policy" drop-down, select the access policy you want to apply to this role.
6. If required, click **Apply another policy** and repeat steps 4-5 to add additional access policies to this role.
7. Click **Create new role** to create your access role.

### Assign an access role to a user

1. Go to your **Organization Settings** and click **Users**.
2. Locate the user that you want to assign access roles to and hover over their entry.&#x20;
3. Click on the three dots that appear on the right-hand side of the screen.&#x20;
4. Select **Edit user** from the dropdown menu.&#x20;
5. In the "Access roles" section, click the dropdown menu and select the access role you want to assign to the user. You can assign multiple roles if needed.
6. Click **Update roles** to save the changes.

{% hint style="success" %}
That's it! The user will now have the assigned access roles and be able to access the corresponding areas of the MessageBird environment based on the permissions granted by those roles.
{% endhint %}

### Change a user's access role

1. Go to your **Organization Settings** and click **Users**.
2. Locate the user whose access role you want to change, hover over their entry, then click the three dots on the right-hand side of the screen.
3. Click **Edit user**.
4. Under the "Access roles" section, you will see the user's current access roles.
5. Select a new role from the drop-down.
6. Click **Update roles** to save the changes.

### Remove a user's access role

{% hint style="warning" %}
Every [user](https://docs.bird.com/applications/settings/account/organization-settings/users) must have at least one access role assigned to them.
{% endhint %}

1. Go to your **Organization Settings** and click **Users**.
2. Locate the user whose access role you want to remove, hover over their entry, then click the three dots on the right-hand side of the screen.
3. Click **Edit user**.
4. Under the "Access roles" section, you will see the user's current access roles. If they have more than one role, you can delete the additional roles by hovering over it and clicking the delete icon.
5. Click **Update roles** to save the changes.