> For the complete documentation index, see [llms.txt](https://docs.bird.com/applications/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bird.com/applications/settings/account/organization-settings/access-roles.md). # Access roles ### Old IAM access roles In order to help you get up and running with multiple users, there are multiple default (managed) access roles that can be used without having to create a custom access role. This applies only to old workspaces on the Old IAM system/infrastructure. The table gives a description of what each role does and how it can be used.
Role nameDescription
AI Employees ViewerThis role grants read-only access to view AI employees in your workspaces.
AI Employees AdminThis roles grants full access to create, edit and delete AI Employees in your workspaces.
Knowledge Base ViewerThis role grants read-only access to view Knowledge Base resources.
Knowledge Base AdminThis role grants full access to create, edit and delete Knowledge Base resources.
Application DeveloperThis role allows a user to manage all applications in the Developer section. It also gives you the same level of access as the Campaigns Admin, Templates Admin, Flows Admin, and Audience Admin roles.
Audience AdminThis role allows a user to access and manage audiences. This includes editing existing segments, contacts, and suppressions, creating new ones, and importing and exporting contacts.
Analytics AdminThis role allows a user to access and manage analytics and insights. This includes performance reports, subscriber growth, and insights per channel.
Campaigns AdminThis role allows a user to access and manage all things related to your marketing campaigns, including existing marketing content.
Flows AdminThis role allows a user to access, create, and manage flows in your organization. Because Flows uses many other Bird products to function, we recommend that you combine this role with other useful roles, such as Templates Viewer.
Templates AdminThis role allows a user to access and manage all Marketing content. This includes editing and create templates and translation files.
Templates ViewerThis role allows a user read-only access to Marketing content. It is often useful in combination with other roles, like Flows Admin.
Inbox Agent

This role can be used for users that are agents within Inbox AI. This role grants access to the Inbox product alongside the content within the channels configured in Inbox across all workspaces.

It does not allow access to configure organization or workspace settings including channel management, billing, security, etc.

CX ManagerThis role grants the same access as the Inbox Agent role however also gives access to Reporting in Inbox.
Organization Owner

This is the most privileged role in the organization. It can view all content and settings across the organization and alter any settings. It can add and remove users, update security and billing settings and manage all aspects of channels, workspaces, etc.

This role should be allocated to the initial user setting up the organization alongside a limited number of trusted individuals who may need to alter any settings or configurations across the organization.

Organization AdminThis role grants full access to all Organization resources. This includes adding users and managing permissions and billing related settings. It does not however grant any access to any workspaces and would need to be combined with an additional role to provide workspace access. Note that although this role does not grant any access to workspaces, it does have the ability to modify permissions and grant any user any permissions in the organization.
Organization ViewerThis role grants read-only access to all Organization resources. This gives the user the ability to view organization settings such as users, security settings and billing. It does not provide any access to workspaces or the ability to modify permissions.
Workspace Owner

This role can be used to give a user access to all workspaces and allow them to manage all aspects of a workspace including managing campaigns, channels, contacts, etc. It also gives access to all content within the organization.

It does not allow access to organizational level features such as user management, billing, and overall workspace management (e.g. adding and removing workspaces).

Payments ManagerThis role grants full access payments related endpoints and allows you to manage all features of payments within your workspaces.
SCIM ClientFor customers that want to automatically provision their users from a central identity provider, this role is necessary to enable the SCIM protocol to communicate with your organization. Further instructions are available under the SSO section of the docs.
Support AccessProvides access to raise, view and manage Support Cases. This role is best used in conjunction with another role as it does not provide any other access to the platform.
Tasks ViewerThis role grants read-only access to view tasks.
Tasks AdminThis role gives the ability to manage all tasks in your workspaces.
VisitorThis is an internal role which is not designed for direct customer use.
Chat WidgetThis is an internal role which is not designed for direct customer use.
*** ### New IAM access roles In order to help you get up and running with multiple users, there are multiple default (managed) access roles that can be used without having to create a custom access role. This applies to workspaces on the New IAM infrastructure. Access roles are assigned at two levels: **organization-level** roles control access to organization-wide assets (users, billing, workspaces, and settings), while **workspace-level** roles control access to the apps and features within a single workspace. A user can hold roles at both levels. The tables below describe what each role does and how it can be used. *** ### Organization-level roles | Role name | Description | | ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Organization Admin** | Organization administrator with full access to organization assets: management, users, billing & invoices, settings, workspaces, and IAM. Note: this role does not provide access to workspaces or workspace apps. You will need to contact your workspace admin to assign you a workspace-specific role. | | **Organization Business Profile Admin** | Admin access to the business profile data of the organization. | | **Organization Finance Admin** | Organization-level financial administrator with access to billing settings and financial management (does not include workspace finance operations). | | **Organization Numbers & Sender Registration** | Manage the numbers and sender registration for this organization. | | **Workspace management** | Manage workspaces within the organization. | | **Workspace viewer** | View workspaces within the organization. | | **Support Center** | Access to submit and manage support tickets for this organization. Automatically granted to Organization Admins. | *** ### Workspace-level roles #### Workspace administration | Role name | Description | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Workspace admin** | Full administrative access to the workspace and all of its apps — IAM, Developer (numbers & channels), CRM, Marketing, Security, AI Hub, and Customer Support — including sending, reporting, integrations, and exchange-rate management. Automatically added to the user who creates the workspace. | #### IAM | Role name | Description | | -------------- | ------------------------------------------------------------------------------------------------------------------------- | | **IAM Admin** | Full IAM access for the workspace: manage users, groups, roles, and access policies, including the SCIM provisioning API. | | **IAM Viewer** | Read-only access to workspace IAM: view users, groups, and their memberships. | #### AI Hub | Role name | Description | | --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **AI Hub Admin** | Full access to all AI Hub features — AI models, FAQ, assist, intents, predictions, agents, sentiment analysis, and reporting — plus knowledge-base content management, connector management, and creation of delegated AI-agent access keys. | | **AI Employee Admin** | Full management of AI Employees (AI agents) and their knowledge base — create, edit, and deploy agents, manage the connectors they use, and full knowledge-base content access. | | **AI Employee View Access** | Read-only access to AI Employees and their knowledge base — view agents, versions, deployments, chats, and knowledge-base documents. | #### CRM | Role name | Description | | ------------- | ------------------------------------------------------------------------------------------------------------------------- | | **CRM Admin** | CRM admin role with full access to all CRM features including contacts, accounts, custom objects, and datahub operations. | #### Developer | Role name | Description | | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Developer Admin** | Full developer access: manage numbers and sender registration, create/update/delete channels, view channel events and reporting, send messages, and create/manage webhook subscriptions. | | **Developer Viewer** | Read-only developer access: view numbers, channels, channel events, and webhook subscriptions and their delivery logs. | | **Developer Channels Sender** | Send messages to channels (SMS, Email, WhatsApp, etc.). | | **Developer Channels Reporting Viewer** | Read-only access to channels reporting. | #### Customer Support (Inbox) | Role name | Description | | ---------------------------- | ---------------------------------------------------------------------- | | **Customer Support admin** | Complete Support app access including preferences and role management. | | **Customer Support manager** | Full access to team-specific tickets and performance reports. | | **Customer Support agent** | Full access to team-specific tickets. | | **Customer Support analyst** | Read-only access to team-specific analytics. | #### Marketing | Role name | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Marketing Analyst** | Read-only across marketing (campaigns, journeys, flows, content, data, schema), plus full analytics: view and manage dashboards, run queries, and view all reporting data. | | **Content Creator** | Create, edit, and activate marketing content; create and edit campaigns and journeys (no send/publish); view flows. | | **Campaign Manager** | Full campaign and journey lifecycle including activation/send and publish; create and edit content, segments, contact lists, and commerce; view flows and contacts; full analytics and product-catalog management. | | **Marketing Admin** | Full access to all marketing features and operations, including analytics and cross-app integrations. | #### Security | Role name | Description | | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Security Admin** | Full access to all Security features — security items, configurations, and events; Security Protect (bug-bounty programs and reports); security content; audit logs; and reporting. | | **Security Manager** | Manage security items, configurations, and events; create and manage reports and bug-bounty programs/reports; view audit logs. | | **Security Viewer** | Read-only access to security items, configurations, events, reports, bug-bounty data, and audit logs. | *** ### Custom access roles {% hint style="info" %} Not supported {% endhint %} ### Remove a user's access role {% hint style="warning" %} Every [user](/applications/settings/account/organization-settings/users.md) must have at least one access role assigned to them. {% endhint %} 1. Go to your **Organization Settings** and click **Users**. 2. Locate the user whose access role you want to remove, hover over their entry, then click the three dots on the right-hand side of the screen. 3. Click **Edit user**. 4. Under the "Access roles" section, you will see the user's current access roles. If they have more than one role, you can delete the additional roles by hovering over it and clicking the delete icon. 5. Click **Update roles** to save the changes. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.bird.com/applications/settings/account/organization-settings/access-roles.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.