> ## Documentation Index > Fetch the complete documentation index at: https://docs.portkey.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # User Roles & Permissions > Learn about Portkey's comprehensive role-based access control system across Organizations and Workspaces. Portkey implements a comprehensive role-based access control (RBAC) system that operates across two main hierarchical levels: **Organizations** and **Workspaces**. This dual-layer approach ensures precise control over who can access what resources, enhancing security while enabling effective team collaboration. ## Organization Level Organizations represent the highest level of structure within Portkey. At this level, there are three distinct roles with varying levels of administrative control: The highest authority with complete control of the organization Extensive administrative privileges across the organization Base-level organization access, typically assigned to workspace roles ### Organization Role Permissions | Capability | Owner | Admin | Member (without workspace) | | ---------------------------- | :-------------------------------------------: | :-------------------------------------------: | :------------------------------------: | | Billing Management | | | | | Manage Organization Settings | | | | | Create/Delete Workspaces | | | | | Manage Admin API Keys | | | | | Edit User Roles | | | | | Invite Organization Users | | | | | Configure Access Permissions | | | | | Access to All Workspaces | | | | **Important**: Organization Owners and Admins automatically receive Admin-level access to all workspaces within the organization. All users must first be added as Organization Members before they can be invited to any workspace. ## Workspace Level Workspaces are sub-organizational units that enable better team and project management. Each workspace maintains its own access control structure with three distinct roles: Complete control over workspace configuration and team management Administrative capabilities for team and resource management Read-only access to workspace resources ### Workspace Role Permissions | Capability | Admin | Manager | Member | | ---------------------------------------- | :-------------------------------------------: | :-------------------------------------------: | :-------------------------------------------: | | Invite Organization Members to Workspace | | | | | Assign Workspace Roles (including Admin) | | | | | Create Workspace API Keys | | | | | Create/Update/Delete Resources | | | | | View Workspace Resources | | | | **Member Access**: Workspace Members have read-only access to workspace resources (logs, prompts, config, virtual keys etc.) but cannot create, update, or delete any resources. ## Access Permission Configuration Organization Owners and Admins can configure access permissions for various resources across workspaces. These settings determine what each role can access: By default Workspace Admins and Managers have the same permissions unless changed by Organization Owner or Admin. Control which roles can view, filter, and export logs Manage access to provider API keys for different roles Configure API key creation and management rights **Key Workflow**: Users must first be added as organization members before they can be invited to any workspace. Workspace admins and managers can then invite organization members to their workspace and assign appropriate roles. ## Related Topics