> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles and permissions

> Understand the role-based access control system.

Enkryptify uses role-based access control (RBAC) to determine what each workspace member can do. Every member is assigned a role, and optionally a scope that restricts which teams, projects and environments they can access.

## Roles

There are three roles, each with a fixed set of permissions:

### Admin

Full control over the workspace. Admins can manage members, teams, projects, secrets and workspace settings.

### Developer

Can manage secrets but cannot change workspace settings, manage members or modify teams and projects. Developers have full read and write access to secrets within their scope.

### Member

Read-only access. Members can view teams, projects and secrets but cannot create, update or delete anything.

## Permissions table

| Resource      | Admin       | Developer   | Member    |
| ------------- | ----------- | ----------- | --------- |
| **Workspace** | Full access | Read        | Read      |
| **Members**   | Full access | No access   | No access |
| **Teams**     | Full access | Read        | Read      |
| **Projects**  | Full access | Read        | Read      |
| **Secrets**   | Full access | Full access | Read      |
| **Syncs**     | Full access | No access   | No access |

## Scope

Roles define **what** a member can do. Scope defines **where** they can do it.

By default, members have access to all teams, projects and environments in the workspace. You can restrict this by assigning a scope that limits access to specific teams, projects or environments.

See [Scoped Access](/access-control/scoping) for details on how scoping works.
