# Roles and permissions Formsort accounts are organized according to **roles** and **permissions**, in order to maintain the integrity of your form flows across team members, as well as to clearly delineate responsibilities across the team. Examples of roles include, for example, *Owner*, *Administrator*, *Deployer*, *Designer*, and *Engineer*. Roles are associated to specific permissions such as *Archive or delete flows*, or *Create or update themes*. By assigning team members' accounts to different roles, you can control exactly which actions in the platform are available to whom. The current list of permissions is as follows: ``` deploy_production: Deploy a variant revision to any production environment. create_new_variant revision: Deploy a variant revision to any non-production environment. update_traffic_pattern: Change the traffic pattern of deployed variants within a flows. update_environment: Create new environments or save new revisions of existing environments. update_domain: Add, update, or remove domain names. delete_flow: Archive or delete flows. delete_variant: Archive or delete variants. update_theme: Create or update themes. switch_theme: Switch the theme for an existing variant. update_credential: Create new credentials for integrations. view_accounts: Retrieve the full list of accounts. suspend_account: Suspend other accounts (listed as "delete" account on Owner page) ``` These permissions are associated to the following roles:
OwnerAdminDeployerDesignerEngineerEditorViewer
create_new_variant revision
update_environment
update_domain
update_credential
update_theme
switch_theme
deploy_production
update_traffic_pattern
delete_flow
delete_variant
view_accounts
billing_access
suspend_account
{% hint style="info" %} A user can create new [accounts](/workspace-management/accounts.md) with the same or fewer roles than themselves. {% endhint %} {% hint style="warning" %} An Admin **cannot** assign or create an Owner role. Please make sure to re-assign the Owner permissions if the account is going to be suspended. If you find that there are no Owner-level permissions for your account, please reach out to the Formsort team via Intercom. {% endhint %} ## Role Organization Roles are organized according to a hierarchy, visualized in the diagram below. At the top-level of the hierarchy is the *Owner*, meaning that the *Owner* has access to all permissions associated with all roles under it. Moving down the hierarchy, we have the *Admin*: the admin has access to all permissions except permissions specific to Owner, such as the ability to *Suspend other accounts*. The same rule applies at any level of the hierarchy: a given role has a subset of the permissions of the roles higher on the hierarchy, a superset of the permissions of the roles lower. ![Hierarchical Model of Roles in Formsort](/files/-MdJiV-vxNUawC2GFP_1) {% hint style="info" %} The platform does not contain an explicit Viewer role. Rather, all users on Formsort have the permission to view flows, by default. {% endhint %} ## Adding roles and permissions A given permission can only be granted by a user who already has that specific permission. In other words, a *Deployer* can grant another user with *Deployer* permissions, a *Designer* with *Designer* permissions, and an *Engineer* with *Engineer* permissions. However, a *Deployer* cannot assign a user with e.g. *Engineer* or *Admin* permissions. {% hint style="warning" %} We have not yet implemented functionality to provide visual cues or to hide features which a user does not have permission to use. Currently, any feature that a user does not have permission for will appear normal in the platform, but the user will not be able to use it. {% endhint %} ## **Managing response access with user groups and access policies** Formsort allows you to control **who** can access response data using **user groups** and **access policies**. ### **User groups** User groups let you grant response access to multiple users at once. Instead of manually managing access for individual users, you can create a group and apply it to one or multiple forms. * User groups are managed in the **Admin Workspace settings**. * Any user added to a group with response access will automatically have **read, tag, and download permissions** for the assigned forms.

Formsort user groups

### **Access policies** You can create an **access policy** at both the **form level** and in the **Admin Workspace settings**. To create an access policy, you must define: * **A user or user group** that the policy applies to. * **The resource (form)** that the policy applies to. Since all users with response access can **read, tag, and download responses**, access policies simply determine **who can access responses for each form.**

Formsort access policy

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.formsort.com/workspace-management/accounts/roles-and-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.