> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles & Permissions

> Manage team access with role-based permissions in the Didit Console. Use built-in roles or create custom roles with granular per-resource permission control.

## Overview

Didit uses a role-based access control (RBAC) system to manage what team members can do in the console. Each member is assigned a **role**, and each role has a set of **permissions** that control access to specific features.

## Default roles

Didit provides five built-in (system) roles that cover common team structures:

| Role                   | Description                                                                                                                                                 |
| ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Owner**              | Full access to all features including organization management, billing, and role management. Only owners can transfer ownership or delete the organization. |
| **Admin**              | Full management access to verification features, team members, and application settings. Cannot delete the organization or manage roles.                    |
| **Compliance Officer** | Focused on reviewing sessions, managing AML/blocklists, viewing audit logs, and handling transactions and business profiles.                                |
| **Developer**          | Manages workflows, webhooks, API keys, questionnaires, and application configuration. Read-only access to verification sessions.                            |
| **Reader**             | Read-only access to all console sections. Cannot modify any data.                                                                                           |

System roles cannot be edited or deleted.

## Custom roles

Organization owners can create **custom roles** with specific permission combinations tailored to your team's needs.

To create a custom role:

1. Go to **Settings** > **Roles**
2. Click **Create Role**
3. Enter a name, slug, and description
4. Select the permissions you want to grant
5. Click **Create Role**

Custom roles can be edited and deleted at any time. You cannot delete a role that is currently assigned to members — reassign them first.

## Permission reference

Permissions follow an `action:resource` format. The available actions are:

* **read** — View a resource
* **write** — Update a resource
* **create** — Create new instances of a resource
* **delete** — Remove a resource
* **list** — List multiple instances of a resource

### Resource permissions

| Resource         | Available actions                 | Console section                                             |
| ---------------- | --------------------------------- | ----------------------------------------------------------- |
| `organization`   | read, write, delete               | Organization settings                                       |
| `members`        | read, list, write, delete         | Team members                                                |
| `roles`          | read, list, write, create, delete | Role management                                             |
| `applications`   | read, list, write, create, delete | Application settings                                        |
| `sessions`       | read, list, create, write, delete | Verification sessions, status changes, and session deletion |
| `users`          | read, list                        | End-user directory                                          |
| `businesses`     | read, list, write                 | Business profiles (KYB)                                     |
| `transactions`   | read, list, create, write         | Transaction monitoring                                      |
| `workflows`      | read, write, create, delete       | Workflow editor                                             |
| `questionnaires` | read, write, create, delete       | Questionnaires                                              |
| `customization`  | read, write                       | White-label branding                                        |
| `lists`          | read, write, create, delete       | Lists (blocklists/allowlists)                               |
| `blocklist`      | read, write, create               | Blocklist management                                        |
| `webhooks`       | read, write, create, delete       | Webhook destinations                                        |
| `api-keys`       | read, write                       | API key management                                          |
| `analytics`      | read                              | Analytics dashboard                                         |
| `audit-logs`     | read, list                        | Audit logs                                                  |
| `subscription`   | read, write                       | Billing and usage                                           |
| `invoices`       | read, list                        | Invoice management                                          |
| `saml`           | read, write                       | SSO/SAML configuration                                      |

## Assigning roles

When inviting a new team member or editing an existing member, you select from all available roles (both system and custom).

Members can only be assigned one role at a time. To change a member's role, go to **Settings** > **Team** and edit the member.
