Manage team access
Each workspace in the Clerk Dashboard supports role-based access control to help manage what team members can see and do. When assigning Roles, consider the following:
- Which resources does this team member need access to?
- What actions should this team member be able to perform?
- What level of system configuration access is required?
Available Roles
The following table summarizes the available Roles:
How Permissions work
Permissions in the Clerk Dashboard are feature-specific. Each feature exposes only the Permissions it supports — some support read, manage, create, and delete, while others expose only one. A Role is a bundle of these Permissions. The Permissions reference below maps each feature to its supported Permissions.
Owner
The Owner Role is the highest level of authority within a workspace, possessing comprehensive access and control over all settings and resources.
Key responsibilities
- Oversee and manage all resources and applications within a workspace
- Modify workspace settings, including Billing and member Roles
- Access and modify all applications, including their settings, API keys, and domains
- Create, manage, and delete users, Organizations, and Organization memberships
- Impersonate users and manage restrictions (allowlist, blocklist, waitlist)
See the Permissions reference for the exact Permissions granted to this Role.
Admin
The Admin Role handles day-to-day management across applications and instances.
Key responsibilities
- Manage applications and instances within a workspace
- Modify workspace settings, including Billing and member Roles
- Access and modify all applications, including their settings, API keys, and domains, but cannot delete applications
- Transfer applications to another workspace
- Create, manage, and delete users, Organizations, and Organization memberships
- Impersonate users and manage restrictions (allowlist, blocklist, waitlist)
See the Permissions reference for the exact Permissions granted to this Role.
Developer
The Developer Role focuses on technical configuration and integrations with limited production access.
Key responsibilities
- Manage restrictions (allowlist, blocklist, waitlist)
- View API keys and Billing information
- Manage configuration, API keys, and secrets in development instances only
- Manage users, Organizations, and Organization memberships in development instances only
- Impersonate users in development instances only
See the Permissions reference for the exact Permissions granted to this Role. Permissions marked Dev only apply only within development instances.
Support
The Support Role provides tools to assist customers while preventing modifications to sensitive application configurations.
Key responsibilities
- Provide direct user support and troubleshooting
- Impersonate users for issue resolution and debugging
- Create, manage, and delete users, Organizations, and Organization memberships
- Manage restrictions (allowlist, blocklist, waitlist)
See the Permissions reference for the exact Permissions granted to this Role.
Viewer
The Viewer Role has read-only access to configuration and workspace-level data.
Key responsibilities
- Review configuration settings of applications
- Review workspace-level information and configuration
See the Permissions reference for the exact Permissions granted to this Role.
Permissions reference
The following sections list each feature and its available Permissions. A checkmark indicates that the Role has been granted the Permission. Dev only indicates that the Permission is granted only in development instances.
Global
Workspace-wide Permissions that aren't tied to a single feature.
- Manage — Grants the ability to create, update, and delete users, Organizations, and Organization memberships.
- Read — Grants read-only access to users, Organizations, and Organization memberships.
There are no separate create or delete Permissions for these resources. Any Role with the Manage Permission (e.g., Support) can create, update, and delete users, Organizations, and Organization memberships.
Applications
Manage the applications in a workspace. Transferring an application isn't tied to a Permission — it's available to the Owner and Admin Roles.
Instances
Manage the instances within an application. There is no separate Read Permission — reading instance data is covered by the Configuration feature's Read Permission.
Configuration
Manage instance configuration and API keys.
Billing
View and manage workspace Billing.
Secrets
Manage instance secrets. This feature exposes only a Manage Permission.
Restrictions
Manage restrictions such as the allowlist, blocklist, and waitlist.
Users
This feature only exposes the Impersonate Permission. Creating, viewing, managing, and deleting users are controlled by the Global feature's Read and Manage Permissions.
Feedback
Last updated on