> ## Documentation Index > Fetch the complete documentation index at: https://docs.unstructured.io/llms.txt > Use this file to discover all available pages before exploring further. # Role-based access control (RBAC) The following information applies only to Unstructured [organizational accounts](/pipelines/account/organizations), which are available only for Unstructured **Business** accounts. To upgrade from an Unstructured **Let's Go** or **Pay-As-You-Go** account to a **Business** account, contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). *Roles* in Unstructured are part of the *role-based access control* (RBAC) system that manages permissions for members of organizational accounts and their workspaces. For Business SaaS accounts, roles do not apply to personal accounts or personal workspaces. Any member with the **Super Administrator** role in an organizational account can manage the roles of that organizational account's members and of members in the organizational account's workspaces. Any member with the **Super Administrator** role in an organizational account or the **Workspace Admin** role in a workspace within an organizational account can manage the roles of that workspace's members. A **Super Administrator** assigns an organizational account member's initial role when the member is [added to the organizational account](/pipelines/account/organizations#add-a-member-to-an-organizational-account). That role can be [changed](/pipelines/account/organizations#change-an-organizational-account-role-for-a-member) later. A **Super Administrator** or **Workspace Admin** assigns a workspace member's initial role when the member is [added to the workspace](/pipelines/account/workspaces#add-a-member-to-a-workspace). That role can be [changed](/pipelines/account/workspaces#change-a-workspace-role-for-a-member) later. ## Site administrator role The site administrator role is available only in dedicated instance and in-VPC deployments of [Unstructured Business](/business/overview). The site administrator (site admin) is a deployment-level role, independent of any organizational account. It controls access to **Site Settings**, where deployment-wide configuration lives. A site admin can: * [Configure identity providers](/business/idp/configuration) An IdP group grants site administrator access. See [Site administrator access](/business/idp/group-mappings#site-administrator-access). ## Organizational account roles Organizational account roles include: * **Super Administrator**: Has access to all permissions, and has access to all resources created in an organization. * **Account Member**: Able to be added to workspaces with a workspace role. * **Billing Administrator**: Able to view billing information, usage, and account members. These roles include the following permissions: | Permission | Super Administrator | Account Member | Billing Administrator | | --------------------------------------------------------------- | ---------------------------------- | ---------------------------------- | ---------------------------------- | | Organizational account management | | | | | Can add members to the account | Yes | No | No | | Can remove members from the account | Yes | No | No | | Can view members of the account | Yes | Yes | Yes | | Can view an account member's details | Yes | Yes | Yes | | Can change an account member's role | Yes | No | No | | Billing | | | | | Can view usage and costs | Yes | No | Yes | | Can edit payment information | Yes | No | Yes | | Workspaces | | | | | Can create workspaces | Yes | No | No | | Can add members to a workspace | Yes | No | No | | Can view members of a workspace | Yes | Yes | No | | Can be added to a workspace | Yes | Yes | Yes | | Can take actions in a workspace (based on their workspace role) | Yes | Yes | No | ## Workspace roles Workspace roles include: * **Viewer**: Ability to view all connectors and workflows that exist in the workspace in a read-only capacity. * **Operator**: Ability to create, run, schedule, and delete any workflows that exist in the workspace. Can view connectors but cannot create or edit them. * **Developer**: Ability to create and edit all connectors and workflows that exist in the workspace. * **Workspace Administrator**: Ability to manage users on the workspace (invite, remove or change roles) as well as edit the workspace. These roles include the following permissions: | Resource | Action | Viewer | Operator | Developer | Workspace Administrator | | ----------------- | ---------------------------------------- | ---------------------------------- | ---------------------------------- | ---------------------------------- | ---------------------------------- | | Workflows | Read | Yes | Yes | Yes | Yes | | | Create | No | Yes | Yes | Yes | | | Edit | No | Yes | Yes | Yes | | | Delete | No | Yes | Yes | Yes | | | Run | No | Yes | Yes | Yes | | | Schedule | No | Yes | Yes | Yes | | | Save | No | Yes | Yes | Yes | | | Duplicate | No | Yes | Yes | Yes | | | Activate and deactivate | No | Yes | Yes | Yes | | Connectors | Read | Yes | Yes | Yes | Yes | | | Create | No | No | Yes | Yes | | | Edit | No | No | Yes | Yes | | | Delete | No | No | Yes | Yes | | AI Providers | Can see and use a configured AI provider | Yes | Yes | Yes | Yes | | | Can configure AI provider secrets | No | No | No | Yes | | | Can delete AI provider secrets | No | No | No | Yes | | Workspace members | Add members to the workspace | No | No | No | Yes | | | View the workspace's members | Yes | Yes | Yes | Yes | | | Remove members from the workspace | No | No | No | Yes | | | Change the workspace members' roles | No | No | No | Yes | Super Administrators in an organizational account have complete access to all of the organizational account's workspaces, regardless of whether they are a member of those workspaces.