# Roles
A **role** is a named set of permissions across StepSecurity features. Each member is assigned exactly one role, and that role determines what they can see and do in the platform.
StepSecurity uses a role-based access control (RBAC) model with two kinds of roles:
* **System roles**: built-in roles that ship with StepSecurity and cover the most common use cases. System roles cannot be edited or deleted.
* **Custom roles**: roles you define yourself to grant exactly the permissions a team needs, no more.
The Roles page lists every role in your account, system and custom. For each role you can see:
* **Role**: the role name and description
* **Type**: `System` for built-in roles, `Custom` for roles you created
* **Coverage**: how many features the role has read access to (`reads`), how many it has write access to (`writes`), and the feature categories it touches (shown as badges)
* **Last updated (GMT)**: `Built-in` for system roles, or the timestamp and author for custom roles
You can search the list by role name or description.
#### Permission model
Each StepSecurity feature exposes one or more permissions. Within a role, every feature can be set to one of three access levels:
* **No access**: the role cannot see or modify the feature
* **Read-only**: the role can view the feature's data but cannot modify it
* **Read & write**: the role can both view and modify the feature
The `reads` and `writes` counts shown for each role on the Roles list summarize these choices across all available features.
#### Built-in roles
StepSecurity ships with two system roles:
| Role | Description |
| ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **admin** | Full read & write across every feature. Use this for users who need to administer StepSecurity, including managing members, roles, integrations, and security policies. |
| **auditor** | Read-only across every feature. Use this for users who need full visibility into security data and configuration without the ability to change anything. Common for compliance, audit, and reporting use cases. |
{% hint style="info" %}
System roles cannot be edited or deleted. If you need a different combination of permissions, create a custom role.
{% endhint %}
### Creating a custom role
Custom roles let you grant the exact permissions a team needs. For example, a `detection-viewer` role might give a triage team read-only access to Harden-Runner detections without exposing the Admin Console.
To create a custom role:
* Open **Admin console → Access Control → Roles**.
* Click "**+ New role"** and enter a **Role name** and **Description**
* Under Permissions, expand each feature category and select the appropriate access level for each permission: No access, Read-only, or Read & write. Once you have configured all permissions, click Create role.
### Assigning roles to members
Roles are assigned to members from the **Members** page:
* Open **Admin console → Access Control → Members**.
* Find the member in the list, open the ⋮ menu in their row, and select Edit. In the Edit Member flow, proceed to the final step (3/3: Select Role), choose the desired role from the dropdown, and click Update.
A member can have only one role assigned at a time. To change a member's role, repeat the steps above and select a different role. The currently assigned role, and the permissions it grants, are visible on the member detail panel under the **Permissions** tab.
The Permissions tab shows the assigned role along with:
* The role's **scope** (`Customer` or organization-specific)
* What the role **applies to** (`all organizations` or a named organization)
* The full list of granted permissions, grouped by feature category, with a `Read-only` or `Read & write` badge on each individual permission
#### Role scope: customer vs organization
Roles are assigned at one of two scopes:
* **Customer scope**: the role applies across every organization in your StepSecurity account. Use customer-scoped roles for users who need consistent access company-wide, such as security administrators or compliance auditors.
* **Organization scope**: the role applies only within a specific organization. Use organization-scoped roles when a user should have access to one team's resources but not another's.
The scope is set when the role is assigned to a member, not when the role itself is created. The same role definition can be assigned at customer scope to one member and at organization scope to another.
### Editing or deleting custom roles
Custom roles can be edited or deleted from the Roles list using the **⋮** menu on the role's row:
* **Edit**: change the role's name, description, or permissions. Existing assignments continue to apply, and any change to permissions takes effect immediately for every member with the role assigned.
* **Delete**: remove the role permanently. A role cannot be deleted while any member has it assigned. Unassign the role from every member first, then delete it.
Renaming a role is safe. Internal references use the role's UUID (assigned at creation time), so existing assignments update automatically when the name changes.
System roles (`admin`, `auditor`) cannot be edited or deleted.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.stepsecurity.io/administration/admin-console/access-control/roles.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.