CRAFT uses a role-based access system to control what each person can see and do within your organisation and its projects. Roles apply at two levels: the organisation level and the project level.
Organisation-level roles
Organisation-level roles control access to organisation-wide settings and the ability to manage members.
| Role | What they can do |
|---|
| Owner | Full access to everything — invite and deactivate members, manage all projects, configure SSO, view audit logs, and manage organisation settings. There must always be at least one owner. |
| Admin | Invite and deactivate members, create and manage projects, view audit logs. Cannot change organisation billing or ownership. |
| Member | Access to projects they have been explicitly added to. Cannot manage members or organisation settings. |
Project-level roles
Within a project, users can be assigned more granular roles by a project owner or admin.
| Role | What they can do |
|---|
| Owner | Full access to the project — manage members, create and delete resources, manage secrets. |
| Admin | Manage project members and resources. Cannot delete the project. |
| Developer | Create, read, and modify resources. Can manage secrets within the project. |
| Operator | Read resources and trigger workflows. Cannot create or delete resources. |
| Viewer | Read-only access to resources and metadata within the project. |
Organisation owners and admins automatically have admin-level access to all projects in the organisation, even if they are not explicitly added to a project.
How to assign a role
You assign organisation-level roles when inviting a user or by editing their profile on the Members page. See Manage Users for step-by-step instructions.
For project-level roles, a project owner or admin assigns roles from within the project settings. Organisation admins can also assign project roles.
How to remove a role
To remove a user from a project, navigate to the project’s Members settings and remove them. To change an organisation role, edit the user’s profile on the Members page.
Removing a user from a project does not deactivate their account — they retain access to other projects they belong to and to the organisation. 
