---
title: Roles & Permissions | Keycard
description: Manage access control for your organization and zones
---

Keycard uses **role-based access control (RBAC)** to manage what users can do within your organization. Access is controlled at two levels:

1. **Organization roles** - Control access to organization-wide settings and resources
2. **Zone roles** - Control access to specific zones and their resources

---

## Organization Roles

Organization roles determine what a user can do at the organization level. Every user in an organization has exactly one organization role.

|                                |                                                                                           |
| ------------------------------ | ----------------------------------------------------------------------------------------- |
| **Organization Administrator** | Full access to organization settings, members, and all zones                              |
| **Organization Viewer**        | Read-only access to organization information; can only access zones where assigned a role |
| **Organization Member**        | No organization-level access; can only access zones where assigned a role                 |

### Organization Administrator

Organization Administrators have full control over the organization:

- Manage organization settings
- Invite and remove members
- Change member roles
- Create, update, and delete zones
- Create and manage service accounts
- View audit logs
- Full access to all zones (implicitly)

Caution

Every organization must have at least one Administrator. You cannot remove or demote the last Administrator in an organization.

### Organization Viewer

Organization Viewers have read-only access to organization-level information:

- View organization information (settings, members, service accounts)
- Can only view zones which they have been granted explicit access to
- Cannot modify any organization level entities

Note

Organization Viewers must be explicitly added to zones by an Administrator. By default, they have no zone access and cannot see any zones.

### Organization Member

Organization Members have no organization-level access:

- Cannot view organization information (settings, members, service accounts)
- Can only view zones which they have been granted explicit access to

Note

Organization Members must be explicitly added to zones by an Administrator. By default, they have no zone access and cannot see any zones.

---

## Zone Roles

Zone roles control access to resources within a specific zone. Users can have different roles in different zones, allowing fine-grained access control.

|                  |                                                                                    |
| ---------------- | ---------------------------------------------------------------------------------- |
| **Zone Manager** | Full access to create, read, update, and delete all entities in the zone           |
| **Zone Viewer**  | Read-only access to view all entities in the zone                                  |
| **No Access**    | Cannot access the zone (default for Organization Viewers and Organization Members) |

### Zone Manager

Zone Managers have full control over zone resources:

- Create, update, and delete applications
- Manage application credentials and dependencies
- Create, update, and delete resources
- Configure providers
- View sessions and user activity
- Manage zone users (add and remove users, revoke grants and sessions)

### Zone Viewer

Zone Viewers have read-only access:

- View applications and their configurations
- View resources and providers
- View sessions and user activity
- Cannot create, modify, or delete any entities

---

## Permissions Summary

### Organization-Level Entities

Organization-level entities include:

- **Organization settings** - Name and configuration
- **SSO settings** - Single sign-on configuration
- **Members and invitations** - Console user management
- **Service accounts** - API credentials for automation
- **Zones** - Create and manage zones
- **Audit logs** - Activity and security events

|                                |                                    |
| ------------------------------ | ---------------------------------- |
| **Organization Administrator** | Full access (including audit logs) |
| **Organization Viewer**        | View-only (excluding audit logs)   |
| **Organization Member**        | No access                          |

### Zone-Level Entities

Zone-level entities include:

- **Zone settings** - Configuration
- **Applications** - OAuth clients, credentials, and dependencies
- **Resources** - External APIs and services
- **Providers** - Credential providers for resources and applications
- **Sessions and users** - Authentication activity

|                  |             |
| ---------------- | ----------- |
| **Zone Manager** | Full access |
| **Zone Viewer**  | View-only   |

Note

Organization Administrators have implicit Zone Manager access to all zones.

---

## Managing Member Roles

Note

Only Organization Administrators can manage organization members and their roles.

### Inviting Members

When inviting new members to your organization, you assign their organization role:

1. **Navigate to Members**

   Click the organization dropdown and select **Members**.

2. **Add Member**

   Click the **Add member** button.

3. **Enter Email and Role**

   Enter the email address(es) and select an organization role:

   - **Organization Administrator** - Full access to organization and all zones
   - **Organization Viewer** - Read-only access to organization information; can only access zones where assigned a role
   - **Organization Member** - No org access; can only access zones where assigned a role

4. **Send Invitation**

   Click **Add members**. The member(s) will receive an email invitation.

Note

Only Organization Administrators can invite new members.

### Changing Organization Roles

To change a member’s organization role:

1. Navigate to **Members** in your organization settings
2. Find the member in the list
3. Click on their current role to open the role dropdown
4. Select the new role

Caution

Changing a user from Organization Administrator to a lower role will revoke their implicit access to all zones.

### Assigning Zone Access

To grant an Organization Member access to a zone:

1. **Select Member**

   Navigate to **Members** and click on the member you want to modify.

2. **View Zone Access**

   In the member details panel, you’ll see a list of zones with their current access level.

3. **Assign Zone Role**

   For each zone, select the appropriate role:

   - **Zone Manager** - Full access to the zone
   - **Zone Viewer** - Read-only access

---

## Best Practices

Use least privilege

Assign the minimum role required for each user’s responsibilities. Start with Organization Member + specific zone access rather than Organization Administrator.

Separate environments with zones

Use different zones for production, staging, and development. Grant developers Zone Manager access to staging/dev zones but only Zone Viewer access to production.

Use service accounts for automation

For CI/CD pipelines and automated workflows, use [service accounts](/concepts/index.md) instead of user credentials.

Regularly audit access

Review organization members and their zone access periodically. Remove access for users who no longer need it.