> ## Documentation Index > Fetch the complete documentation index at: https://ormilabs.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Access controls & Roles > Learn about each role and how access controls work on Ormi ## Overview Ormi uses role-based access control (RBAC) to manage what users can view and manage within a project. Each project has four roles: * Owner * Admin * Developer * User Roles determine access to all products, API keys, project settings, and billing. ## Owner The `owner` has full control over the project. ### What owners can do * All `admin` permissions * Manage billing and payment methods * Delete the project * Transfer project ownership > There is exactly **one Owner per project**. ## Admin `admins` manage the project and its members but do not have billing or deletion rights. ### What admins can do * Rename the project * Add or remove project members * Assign roles to members * Deploy and delete subgraphs * Create and manage API keys * View usage and billing information (read-only) ### What admins cannot do * Manage billing * Delete the project * Transfer project ownership ## Developer Developers are responsible for **day-to-day operational tasks.** ### What developers can do * Deploy subgraphs * Delete subgraphs * Create and manage API keys ### What developers cannot do * Manage project members * Change project settings * Access billing * Delete the project ## User Users have **read-only access.** ### What users can do * View subgraphs * Query data * View API keys (read-only) * View project configuration (read-only) ### What users cannot do * Deploy or delete subgraphs * Create API keys * Manage members * Access billing or project settings ## Changing the role of a team member You must delete the member first and reinvite the member with the new role. ## Notes on permission * Permissions are project-scoped. Roles apply per project, not globally. * Only `owners` and `admins` can manage project membership and roles. * Billing access is restricted to `owners` only. * API keys can be created by `admins` and `developers`, but `users` have read-only access. * Some permissions may vary depending on plan or environment configuration.