> ## Documentation Index
> Fetch the complete documentation index at: https://docs.acrity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles and access

> Workspace roles used in the Acrity Console and how to think about permissions.

The Console uses workspace roles to separate administration, operations, billing, and read access. Roles are fixed capability sets defined by Acrity: you assign a role to each member, and that role determines exactly what they can do.

## Main roles

| Role            | What it can do                                                                                                                                                               |
| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Workspace admin | Full workspace management: settings, repositories, credentials, connectors, webhooks, API keys, members, and billing.                                                        |
| Maintainer      | Can view and trigger/request reviews and sync VCS status, but cannot manage credentials, connectors, webhooks, API keys, members, workspace settings, or billing.            |
| Billing Manager | Manages billing, wallet, invoices, and spend cap when the organization separates financial administration from technical administration. Plan changes are handled by Acrity. |
| Member          | Read-only access: can view reviews and workspace information, but cannot manage any settings or billing.                                                                     |

## Permission matrix

| Action                                                            | Member | Maintainer | Workspace admin | Billing Manager |
| ----------------------------------------------------------------- | :----: | :--------: | :-------------: | :-------------: |
| View reviews                                                      |    ✓   |      ✓     |        ✓        |        —        |
| Trigger/request review & sync VCS status                          |    —   |      ✓     |        ✓        |        —        |
| Manage repositories, credentials, connectors, webhooks & API keys |    —   |      —     |        ✓        |        —        |
| Invite members & change roles                                     |    —   |      —     |        ✓        |        —        |
| Workspace settings                                                |    —   |      —     |        ✓        |        —        |
| Billing, wallet & spend cap                                       |    —   |      —     |        ✓        |        ✓        |

<Note>
  The Repositories, Credentials, and Connected Apps screens require a Workspace admin (platform admins also have access). Maintainers do not manage these screens; they act on reviews through pull and merge requests and the API.
</Note>

## Best practices

* Keep at least two workspace admins per workspace.
* Assign the Billing Manager role to people who need billing access but should not manage credentials or other technical settings.
* Remove users who left the team and revoke pending invites.
* Review API keys and webhooks whenever workspace admins change.

## Where to manage

Everyone can view the workspace member list. Only a Workspace admin can invite members or change roles.

| Need                                                                       | Console path                  |
| -------------------------------------------------------------------------- | ----------------------------- |
| View the workspace member list (all roles)                                 | `Console > Workspace Members` |
| Invite members or change roles (Workspace admin only)                      | `Console > Workspace Members` |
| Manage billing, wallet, and spend cap (Workspace admin or Billing Manager) | `Console > Billing`           |

<Warning>
  Do not share accounts between people. For auditability and security, each user should access the Console with their own identity.
</Warning>
