> ## Documentation Index
> Fetch the complete documentation index at: https://conto.finance/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles & Permissions

> Organization roles and what each role can access

# Roles & Permissions

Conto uses role-based access control (RBAC) to manage what each team member can do within an organization.

## Roles

| Role        | Description                                                                                                                                                                                            |
| ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Owner**   | Full access. Can manage billing, settings, encryption keys, and all resources. An organization can have multiple Owners; the last Owner cannot remove themselves without transferring ownership first. |
| **Admin**   | Can manage agents, wallets, policies, API keys, and team members. Cannot change billing or encryption.                                                                                                 |
| **Manager** | Can create and update agents, manage counterparties, approve transactions, and manage alerts. Cannot create wallets or policies.                                                                       |
| **Viewer**  | Read-only access to agents, wallets, policies, transactions, counterparties, alerts, and analytics.                                                                                                    |
| **Member**  | Limited access. Can view wallets but cannot modify anything.                                                                                                                                           |

## Permission Matrix

| Permission             | Owner | Admin | Manager | Viewer | Member |
| ---------------------- | ----- | ----- | ------- | ------ | ------ |
| **Agents**             |       |       |         |        |        |
| View agents            | Yes   | Yes   | Yes     | Yes    | --     |
| Create agents          | Yes   | Yes   | Yes     | --     | --     |
| Update agents          | Yes   | Yes   | Yes     | --     | --     |
| Delete agents          | Yes   | Yes   | --      | --     | --     |
| Suspend/freeze agents  | Yes   | Yes   | Yes     | --     | --     |
| **Wallets**            |       |       |         |        |        |
| View wallets           | Yes   | Yes   | Yes     | Yes    | Yes    |
| Create wallets         | Yes   | Yes   | --      | --     | --     |
| Fund wallets           | Yes   | Yes   | --      | --     | --     |
| Withdraw from wallets  | Yes   | --    | --      | --     | --     |
| **Policies**           |       |       |         |        |        |
| View policies          | Yes   | Yes   | Yes     | Yes    | --     |
| Create/edit policies   | Yes   | Yes   | --      | --     | --     |
| **Transactions**       |       |       |         |        |        |
| View transactions      | Yes   | Yes   | Yes     | Yes    | --     |
| Execute transactions   | Yes   | Yes   | Yes     | --     | --     |
| Approve transactions   | Yes   | Yes   | Yes     | --     | --     |
| **Counterparties**     |       |       |         |        |        |
| View counterparties    | Yes   | Yes   | Yes     | Yes    | --     |
| Manage counterparties  | Yes   | Yes   | Yes     | --     | --     |
| **Alerts**             |       |       |         |        |        |
| View alerts            | Yes   | Yes   | Yes     | Yes    | --     |
| Acknowledge/resolve    | Yes   | Yes   | Yes     | --     | --     |
| **Analytics**          |       |       |         |        |        |
| View analytics         | Yes   | Yes   | Yes     | Yes    | --     |
| Export data            | Yes   | Yes   | --      | --     | --     |
| **Settings**           |       |       |         |        |        |
| View settings          | Yes   | Yes   | --      | --     | --     |
| Modify settings        | Yes   | --    | --      | --     | --     |
| **Team**               |       |       |         |        |        |
| View members           | Yes   | Yes   | Yes     | Yes    | --     |
| Invite/remove members  | Yes   | Yes   | --      | --     | --     |
| **API Keys**           |       |       |         |        |        |
| View API keys          | Yes   | Yes   | --      | --     | --     |
| Create/revoke API keys | Yes   | --    | --      | --     | --     |

## Managing Members

### Invite a Member

Go to **Settings** > **Team** > **Invite Member**. Enter the email and select a role.

### Change a Role

Changing roles requires team management permission (Owner or Admin), and role changes are
enforced by hierarchy: you can only change or remove members whose role is strictly below your
own. An Admin can manage Managers, Members, and Viewers, but not another Admin. Owners can manage
anyone, including other Owners, and only an Owner can promote a member to Owner. The last Owner
cannot be demoted or removed without transferring ownership first.

## API Key Scopes

Organization API keys use scopes that map to these permissions. When creating a key, you can select a preset or pick individual scopes:

| Preset        | Scopes included                                                          |
| ------------- | ------------------------------------------------------------------------ |
| **Read Only** | `*:read` scopes only                                                     |
| **Standard**  | Read + write for agents, wallets, policies, transactions, counterparties |
| **Admin**     | All scopes (Owner-only)                                                  |

See [Admin SDK > Scopes](/sdk/admin#scopes) for the full scope list.
