> ## Documentation Index
> Fetch the complete documentation index at: https://developers.partoo.co/llms.txt
> Use this file to discover all available pages before exploring further.
# User Roles and Permissions
> Understand how each Partoo role controls read and write access to API resources.
A **role** defines what you can **read** and/or **write** for every resource (such as users, organizations, or businesses) and at which **scope** that access applies.
**Custom Roles Available**
In addition to the standard roles below, you can
create custom roles with granular permissions tailored to your organization's
needs. Learn more in our [Custom Roles and Permissions
guide](/guides/api/guides/custom-roles-and-permissions).
## Quick Reference: Available Roles
| Role | Intended for | High-level capabilities | Permissions customizable with [Custom Roles](/guides/api/guides/custom-roles-and-permissions)? |
| ------------------ | -------------------------------------------------------------------- | --------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- |
| `ORG_ADMIN` | Client administrators | Manage users and businesses in **their** organization. | ❌ |
| `ORG_MANAGER` | Client users requiring access to the full scope of the organization. | Manage users and businesses in **their** organization. | ✅ |
| `GROUP_MANAGER` | Client group managers | Manage users and businesses inside their group. | ✅ |
| `BUSINESS_MANAGER` | Client business managers | Manage businesses inside their group; limited user management. | ✅ |
| `PUBLISHER` | External data consumers | **Read-only** access to businesses subscribed to Presence Management. | ❌ |
The `ORG_MANAGER`, `GROUP_MANAGER`, and `BUSINESS_MANAGER`
roles can be overwritten with built-in custom roles that provide different
permissions. Learn how to configure these in our [Custom Roles and Permissions
guide](/guides/api/guides/custom-roles-and-permissions).
***
## Detailed Permissions by Role
All permissions listed below assume the user is not using a Custom Role that alters these defaults. For more information about custom roles, see [Managing User Permissions with Custom Roles](/guides/api/guides/custom-roles-and-permissions).
**Users with the `ORG_ADMIN` or `PUBLISHER` role cannot be modified with custom roles.**
`ORG_ADMIN` users always have full access to their organization, while
`PUBLISHER` users always have read-only access to locations with an active
Presence Management subscription.
### Read Access
| Resource | Scope | Details |
| ---------------- | ------------ | ----------------------------------------- |
| **User** | Organization | Read users in the same organization. |
| **Organization** | Organization | Read your own organization object. |
| **Group** | Organization | Read groups in the same organization. |
| **Business** | Organization | Read businesses in the same organization. |
### Write Access
| Resource | Scope | Allowed actions |
| ---------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **User** | Organization | • Create users (inherit provider & `org_id`)
• Update users in the organization
• Assign roles **`ORG_MANAGER`**, **`GROUP_MANAGER`**, or **`BUSINESS_MANAGER`** |
| **Organization** | Organization | • Update the organization itself
• *Cannot* create new organizations |
| **Group** | Organization | • Create groups (inherit provider & `org_id`)
• Update groups in the organization |
| **Business** | Organization | • Create businesses (inherit provider & `org_id`)
• Update businesses in the organization |
### Read Access
| Resource | Scope | Details |
| ---------------- | ------------ | ----------------------------------------- |
| **User** | Organization | Read users in the same organization. |
| **Organization** | Organization | Read your own organization object. |
| **Group** | Organization | Read groups in the same organization. |
| **Business** | Organization | Read businesses in the same organization. |
### Write Access
| Resource | Scope | Allowed actions |
| ---------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **User** | Organization | • Create users (inherit provider & `org_id`)
• Update users in the organization
• Assign roles **`GROUP_MANAGER`** or **`BUSINESS_MANAGER`** |
| **Organization** | Organization | *No write access* |
| **Group** | Organization | • Create groups (inherit provider & `org_id`)
• Update groups in the organization |
| **Business** | Organization | • Create businesses (inherit provider & `org_id`)
• Update businesses in the organization |
### Read Access
| Resource | Scope | Details |
| ---------------- | ------------ | ------------------------------------ |
| **User** | Organization | Read users in the same organization. |
| **Organization** | Organization | Read your own organization object. |
| **Group** | Group | Read your own group. |
| **Business** | Group | Read businesses in your group. |
### Write Access
| Resource | Scope | Allowed actions |
| ------------ | ----- | --------------------------------------------------------------------- |
| **Business** | Group | • Update businesses in your group
• *Cannot* create businesses |
| **User** | Self | Update your own user profile |
| *Others* | — | *No write access* |
### Read Access
| Resource | Scope | Details |
| ---------------- | ------------ | ------------------------------------------ |
| **User** | Organization | Read users in the same organization. |
| **Organization** | Organization | Read your own organization object. |
| **Group** | Group | Read your own group. |
| **Business** | Business | Read businesses you have direct access to. |
### Write Access
| Resource | Scope | Allowed actions |
| ------------ | -------- | -------------------------------------------- |
| **Business** | Business | Update businesses you have direct access to. |
| **User** | Self | Update your own user profile |
| *Others* | — | *No write access* |
> **Publisher** is a **read-only** role.\
> Publishers use Partoo solely as a data source for locations with an active Presence Management subscription.
| Resource | Scope | Access |
| ------------ | --------------------- | --------- |
| **Business** | Subscribed businesses | Read only |
| *All others* | — | No access |