> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gu1.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# How to manage roles and permissions (RBAC)

> Create and assign roles in Teams and Roles in the Gu1 dashboard.

## Where in the dashboard

* **Roles**: [https://app.gu1.ai/teams?section=roles](https://app.gu1.ai/teams?section=roles) (`/teams?section=roles`)
* Alias: `/roles` redirects to the same section
* **Members**: [https://app.gu1.ai/teams](https://app.gu1.ai/teams)

## Interactive tutorial

<iframe src="https://clueso.site/embed/u2bnshy3oufegki8" frameBorder="0" webkitallowfullscreen mozallowfullscreen allowFullScreen className="w-full aspect-video rounded-xl mb-6" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" />

<Info>
  If the video shows an older “system menu”, use **Teams and Roles → Roles** (`/teams?section=roles`).
</Info>

## How RBAC works in Gu1

Two layers coexist:

1. **Legacy organization roles** (owner, admin, manager, developer, analyst, viewer).
2. **Granular RBAC** with `resource:action` permissions (e.g. `entities:read`, `rules:create`, `cases:assign`).

API endpoints check granular permission with an explicit **legacy fallback**. When granular RBAC is enabled for the org, the Roles UI is the fine-grained source of access.

<Warning>
  Enabling or disabling granular RBAC for an organization is typically a platform (SuperOwner) action. Org admins manage roles and assignments once it is enabled.
</Warning>

## Create a role

<Steps>
  <Step title="Open Roles">
    Go to [https://app.gu1.ai/teams?section=roles](https://app.gu1.ai/teams?section=roles).
  </Step>

  <Step title="Create">
    Click **Create** (or equivalent) and enter a clear name.
  </Step>

  <Step title="Assign permissions">
    Select permissions by resource (entities, rules, cases, enrichments, teams, billing, etc.) and actions (read, create, edit, delete, export, approve, …).
  </Step>

  <Step title="Visibility (if available)">
    For sensitive data you may configure show / disable / hide / obfuscate in the role editor.
  </Step>

  <Step title="Save and assign">
    Save the role and assign it to members from Roles or from the member profile on `/teams`.
  </Step>
</Steps>

## Best practices

<CardGroup cols={2}>
  <Card title="Least privilege" icon="lock">
    Only the permissions required for the job.
  </Card>

  <Card title="Periodic review" icon="calendar-check">
    Review roles and assignments every 3–6 months.
  </Card>

  <Card title="Maker-checker" icon="users-between-lines">
    Separate who proposes rules/lists from who approves.
  </Card>

  <Card title="Multiple roles" icon="users">
    A user can have several roles; permissions combine.
  </Card>
</CardGroup>

## Related

| Topic            | Link                                                                              |
| ---------------- | --------------------------------------------------------------------------------- |
| Invite members   | [Tutorial](/en/tutorials/invite-members) · [UI](https://app.gu1.ai/teams)         |
| Teams            | [Tutorial](/en/tutorials/configure-teams)                                         |
| API Keys         | [Tutorial](/en/tutorials/manage-api-keys) · [UI](https://app.gu1.ai/org-api-keys) |
| Security metrics | [https://app.gu1.ai/metrics/security](https://app.gu1.ai/metrics/security)        |
| Audit trail      | [https://app.gu1.ai/audit-trail](https://app.gu1.ai/audit-trail)                  |
