Skip to main content

Manage team access

Each workspace in the Clerk Dashboard supports role-based access control to help manage what team members can see and do. When assigning Roles, consider the following:

  • Which resources does this team member need access to?
  • What actions should this team member be able to perform?
  • What level of system configuration access is required?

Available Roles

The following table summarizes the available Roles:

RoleDescription
OwnerFull access to all resources, including workspace member management and instance keys.
AdminManage applications, instances, Billing, configuration, API keys, and instance keys; can impersonate users.
DeveloperManage restrictions, view API keys and Billing, and manage configuration, API keys, secrets, users, and Organizations in development instances only; dev-only user impersonation.
SupportImpersonate users, manage restrictions, and manage users, Organizations, and Organization memberships; read-only access to application configuration.
ViewerRead-only access to configuration; least-privileged Role for basic Dashboard visibility.

Important

Only the Owner and Viewer Roles are available on the Hobby and Pro plans. For the Business plan, all Roles are available.

How Permissions work

Permissions in the Clerk Dashboard are feature-specific. Each feature exposes only the Permissions it supports — some support read, manage, create, and delete, while others expose only one. A Role is a bundle of these Permissions. The Permissions reference below maps each feature to its supported Permissions.

Owner

The Owner Role is the highest level of authority within a workspace, possessing comprehensive access and control over all settings and resources.

Key responsibilities

  • Oversee and manage all resources and applications within a workspace
  • Modify workspace settings, including Billing and member Roles
  • Access and modify all applications, including their settings, API keys, and domains
  • Create, manage, and delete users, Organizations, and Organization memberships
  • Impersonate users and manage restrictions (allowlist, blocklist, waitlist)

See the Permissions reference for the exact Permissions granted to this Role.

Admin

The Admin Role handles day-to-day management across applications and instances.

Key responsibilities

  • Manage applications and instances within a workspace
  • Modify workspace settings, including Billing and member Roles
  • Access and modify all applications, including their settings, API keys, and domains, but cannot delete applications
  • Transfer applications to another workspace
  • Create, manage, and delete users, Organizations, and Organization memberships
  • Impersonate users and manage restrictions (allowlist, blocklist, waitlist)

Important

Admins cannot delete applications, but they can transfer them to another workspace. Transferring an application isn't tied to a Permission — it's available to the Owner and Admin Roles.

See the Permissions reference for the exact Permissions granted to this Role.

Developer

The Developer Role focuses on technical configuration and integrations with limited production access.

Key responsibilities

  • Manage restrictions (allowlist, blocklist, waitlist)
  • View API keys and Billing information
  • Manage configuration, API keys, and secrets in development instances only
  • Manage users, Organizations, and Organization memberships in development instances only
  • Impersonate users in development instances only

See the Permissions reference for the exact Permissions granted to this Role. Permissions marked Dev only apply only within development instances.

Support

The Support Role provides tools to assist customers while preventing modifications to sensitive application configurations.

Key responsibilities

  • Provide direct user support and troubleshooting
  • Impersonate users for issue resolution and debugging
  • Create, manage, and delete users, Organizations, and Organization memberships
  • Manage restrictions (allowlist, blocklist, waitlist)

See the Permissions reference for the exact Permissions granted to this Role.

Viewer

The Viewer Role has read-only access to configuration and workspace-level data.

Key responsibilities

  • Review configuration settings of applications
  • Review workspace-level information and configuration

See the Permissions reference for the exact Permissions granted to this Role.

Permissions reference

The following sections list each feature and its available Permissions. A checkmark indicates that the Role has been granted the Permission. Dev only indicates that the Permission is granted only in development instances.

Global

Workspace-wide Permissions that aren't tied to a single feature.

  • Manage — Grants the ability to create, update, and delete users, Organizations, and Organization memberships.
  • Read — Grants read-only access to users, Organizations, and Organization memberships.

There are no separate create or delete Permissions for these resources. Any Role with the Manage Permission (e.g., Support) can create, update, and delete users, Organizations, and Organization memberships.

RoleReadManage
Owner
Admin
DeveloperDev only
Support
Viewer

Applications

Manage the applications in a workspace. Transferring an application isn't tied to a Permission — it's available to the Owner and Admin Roles.

RoleReadCreateManageDelete
Owner
Admin
Developer
Support
Viewer

Instances

Manage the instances within an application. There is no separate Read Permission — reading instance data is covered by the Configuration feature's Read Permission.

RoleCreateManageDelete
Owner
Admin
Developer
Support
Viewer

Configuration

Manage instance configuration and API keys.

RoleReadManage
Owner
Admin
DeveloperDev only
Support
Viewer

Billing

View and manage workspace Billing.

RoleReadManage
Owner
Admin
Developer
Support
Viewer

Secrets

Manage instance secrets. This feature exposes only a Manage Permission.

RoleManage
Owner
Admin
DeveloperDev only
Support
Viewer

Restrictions

Manage restrictions such as the allowlist, blocklist, and waitlist.

RoleReadManage
Owner
Admin
Developer
Support
Viewer

Users

This feature only exposes the Impersonate Permission. Creating, viewing, managing, and deleting users are controlled by the Global feature's Read and Manage Permissions.

RoleImpersonate
Owner
Admin
DeveloperDev only
Support
Viewer

Feedback

What did you think of this content?

Last updated on