# Manage team access Each workspace in the Clerk Dashboard supports role-based access control to help manage what team members can see and do. When assigning roles, consider the following: - Which resources does this team member need access to? - What actions should this team member be able to perform? - What level of system configuration access is required? ## Available roles The following table summarizes the available roles: | Role | Description | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | [**Owner**](#owner) | Full access to all resources, including workspace member management and instance keys. | | [**Admin**](#admin) | Manage applications, instances, billing, configuration, API keys, and instance keys; can impersonate users. | | [**Developer**](#developer) | Manage restrictions, view API keys and Billing, and manage configuration and API keys in development instances only; dev-only user impersonation. | | [**Support**](#support) | Provide user support with read-only access to application configuration; can impersonate users and manage restrictions. | | [**Viewer**](#viewer) | Read-only access to configuration; least-privileged role for basic Dashboard visibility. | > Only the **Owner** and **Viewer** roles are available on the Hobby and Pro plans. For the Business plan, all roles are available. ## Owner The **Owner** role is the highest level of authority within a workspace, possessing comprehensive access and control over all settings and resources. **Key responsibilities** - Oversee and manage all resources and applications within a workspace - Modify workspace settings, including Billing and member roles - Access and modify all applications, including their settings, API keys, and domains - Impersonate users and manage restrictions _(allowlist, blocklist, waitlist)_ **Permissions** | | Read | Manage | Create | Delete | Impersonation | | ------------- | :--: | :----: | :----: | :----: | :-----------: | | Global | Yes | Yes | N/A | N/A | N/A | | Applications | Yes | Yes | Yes | Yes | N/A | | Instances | Yes | Yes | Yes | Yes | N/A | | Configuration | Yes | Yes | N/A | N/A | N/A | | Billing | Yes | Yes | N/A | N/A | N/A | | Secrets | N/A | Yes | N/A | N/A | N/A | | Restrictions | Yes | Yes | N/A | N/A | N/A | | Users | Yes | Yes | Yes | Yes | Yes | ## Admin The **Admin** role handles day-to-day management across applications and instances. **Key responsibilities** - Manage applications and instances within a workspace - Modify workspace settings, including Billing and member roles - Access and modify all applications, including their settings, API keys, and domains, but **cannot delete or transfer applications** - Impersonate users and manage restrictions _(allowlist, blocklist, waitlist)_ **Permissions** > Admins **cannot transfer applications** in addition to the permissions below. | | Read | Manage | Create | Delete | Impersonation | | ------------- | :--: | :----: | :----: | :----: | :-----------: | | Global | Yes | Yes | N/A | N/A | N/A | | Applications | Yes | Yes | Yes | No | N/A | | Instances | Yes | Yes | Yes | Yes | N/A | | Configuration | Yes | Yes | N/A | N/A | N/A | | Billing | Yes | Yes | N/A | N/A | N/A | | Secrets | N/A | Yes | N/A | N/A | N/A | | Restrictions | Yes | Yes | N/A | N/A | N/A | | Users | Yes | Yes | Yes | Yes | Yes | ## Developer The **Developer** role focuses on technical configuration and integrations with limited production access. **Key responsibilities** - Manage restrictions _(allowlist, blocklist, waitlist)_ - View API keys and Billing information - Manage configuration and API keys in development instances only - Impersonate users in development instances only **Permissions** | | Read | Manage | Create | Delete | Impersonation | | ------------- | :--: | :------: | :----: | :----: | :-----------: | | Global | Yes | No | N/A | N/A | N/A | | Applications | Yes | No | No | No | N/A | | Instances | Yes | No | No | No | N/A | | Configuration | Yes | Dev only | N/A | N/A | N/A | | Billing | Yes | No | N/A | N/A | N/A | | Secrets | N/A | No | N/A | N/A | N/A | | Restrictions | Yes | Yes | N/A | N/A | N/A | | Users | Yes | No | No | No | Dev only | ## Support The **Support** role provides tools to assist customers while preventing modifications to sensitive application configurations. **Key responsibilities** - Provide direct user support and troubleshooting - Impersonate users for issue resolution and debugging - Manage restrictions _(allowlist, blocklist, waitlist)_ **Permissions** | | Read | Manage | Create | Delete | Impersonation | | ------------- | :--: | :----: | :----: | :----: | :-----------: | | Global | Yes | Yes | N/A | N/A | N/A | | Applications | Yes | No | No | No | N/A | | Instances | Yes | No | No | No | N/A | | Configuration | Yes | No | N/A | N/A | N/A | | Billing | No | No | N/A | N/A | N/A | | Secrets | N/A | No | N/A | N/A | N/A | | Restrictions | Yes | Yes | N/A | N/A | N/A | | Users | Yes | No | No | No | Yes | ## Viewer The **Viewer** role has read-only access to configuration and workspace-level data. **Key responsibilities** - Review configuration settings of applications - Review workspace-level information and configuration **Permissions** | | Read | Manage | Create | Delete | Impersonation | | ------------- | :--: | :----: | :----: | :----: | :-----------: | | Global | Yes | No | N/A | N/A | N/A | | Applications | Yes | No | No | No | N/A | | Instances | Yes | No | No | No | N/A | | Configuration | Yes | No | N/A | N/A | N/A | | Billing | No | No | N/A | N/A | N/A | | Secrets | N/A | No | N/A | N/A | N/A | | Restrictions | No | No | N/A | N/A | N/A | | Users | No | No | No | No | No | --- ## Sitemap [Overview of all docs pages](https://clerk.com/docs/llms.txt)