Roles and permissions
A member’s role decides what they can do. Acme has four levels of access, plus organization ownership as a separate axis layered on top.
The four roles
Section titled “The four roles”Roles are assigned per workspace — a member can be an admin in one workspace and a user in another. They rank from lowest to highest access:
user → developer → admin → owner
Each level includes everything the levels below it can do, and adds more:
- User — standard access. Can view and work with the resources in a workspace they belong to. This is the default role for a new member.
- Developer — everything a user can do, plus access to developer tools. Developers can use the Developer settings to create and manage API tokens (when the developer feature is enabled). See Enable developer mode.
- Admin — everything a developer can do, plus team and organization management. Admins can invite and remove members, change members’ roles, and manage most organization settings.
- Owner — full access to everything, including billing. See “Organization ownership” below.
What each role can access
Section titled “What each role can access”The table below summarizes which settings areas each role can reach. A check means that role (and every role above it) has access.
| Settings area | User | Developer | Admin | Owner |
|---|---|---|---|---|
| Account, Security, Workspace | ✓ | ✓ | ✓ | ✓ |
| Developer (API tokens) | ✓ | ✓ | ✓ | |
| Members (manage team) | ✓ | ✓ | ||
| Rewards | ✓ | ✓ | ||
| Integrations (provider keys) | ✓ | ✓ | ||
| Organization (Danger Zone) | ✓ | ✓ | ||
| Billing | ✓ |
A few notes on the table:
- Account, Security, and Workspace settings are available to every member — managing your own profile, password, two-factor authentication, and the active workspace’s details isn’t gated by role. See Account & profile and Account security.
- Members, Rewards, Integrations, and Organization management require admin (or owner).
- Billing is owner-only — see “Organization ownership” below.
- Developer tools require the developer role or higher, and the developer feature must be turned on. See Enable developer mode.
Organization ownership
Section titled “Organization ownership”Ownership is separate from the four roles above. Every organization has exactly one owner — normally the person who created it.
- The owner effectively has the highest level of access everywhere, regardless of their per-workspace role.
- Some actions are reserved for the owner alone — most notably Billing (Settings → Billing), where subscriptions, plans, payment methods, and invoices are managed. See Plans and limits.
- The owner can also manage the organization itself, including the Danger Zone under Settings → Organization.
So when you read “admin or owner” in these articles, the owner always qualifies — ownership sits on top of the role ranking, not inside it.
How roles interact with workspaces
Section titled “How roles interact with workspaces”Because roles are per workspace, the same person can have different access depending on which workspace they’re in:
- A member’s role is set when an admin adds them to a workspace, and can be changed afterward — see Change a member’s role.
- A member only has access to workspaces they’ve been added to. Being part of the organization doesn’t grant access to every workspace. See What is a workspace?.