> ## Documentation Index
> Fetch the complete documentation index at: https://docs.seekr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Role-based access control

> Manage access to SeekrFlow resources through organizations, teams, and role-based permissions.

export const SupportedOn = ({ui = false, api = true, sdk = true}) => <div className="inline-flex flex-wrap items-center gap-x-5 gap-y-2 px-4 py-2.5 rounded-lg border border-[#00dad3] bg-[#00dad3]/10 text-sm not-prose">
    <span className="font-bold text-black dark:text-white whitespace-nowrap">
      Supported on
    </span>
    <div className="flex items-center gap-5">
      <span className="inline-flex items-center gap-1.5 font-semibold text-black dark:text-white">
        <Icon icon={ui ? "circle-check" : "circle-xmark"} color={ui ? "#00dad3" : "#9ca3af"} size={16} />
        UI
      </span>
      <span className="inline-flex items-center gap-1.5 font-semibold text-black dark:text-white">
        <Icon icon={api ? "circle-check" : "circle-xmark"} color={api ? "#00dad3" : "#9ca3af"} size={16} />
        API
      </span>
      <span className="inline-flex items-center gap-1.5 font-semibold text-black dark:text-white">
        <Icon icon={sdk ? "circle-check" : "circle-xmark"} color={sdk ? "#00dad3" : "#9ca3af"} size={16} />
        SDK
      </span>
    </div>
  </div>;

<SupportedOn ui={true} api={true} sdk={true} />

SeekrFlow uses a team-based access model to organize users and control what they can do. All resources (agents, fine-tuning jobs, deployments, files, and vector databases) belong to a team, and access is enforced based on a user's role within that team.

<CardGroup>
  <Card title="Manage permissions (UI)" icon="grid" href="/flow/app/manage-permissions">
    Create and manage teams and members through the SeekrFlow web interface.
  </Card>

  <Card title="Work with teams (SDK)" icon="cube" href="/flow/sdk/teams">
    Scope SDK requests to a team to create and read team-owned resources.
  </Card>
</CardGroup>

## Organizations and teams

An **organization** is the top-level container for a SeekrFlow account. All users, teams, and resources belong to a single organization.

A **team** is a group of users within an organization. Resources are scoped to a team, meaning each team has its own isolated view of agents, fine-tuning jobs, deployments, files, and vector databases. Users can belong to multiple teams and switch between them to access the resources associated with each.

When a new account is created, a new organization is provisioned if the user doesn't already belong to one. An existing organization owner can also invite new users. For self-hosted deployments, a default organization is created during installation. Teams are not automatically provisioned in either case. Each user also gets a personal workspace, a private team with no other members.

## Roles

Every user has an organization role and, within each team they belong to, a team role. Together these determine what a user can see and do.

### Organization roles

**Owner** – Full organization access to manage settings, teams, and roles.

**Member** – Access limited to assigned teams and their resources.

### Team roles

**Admin** – Full team access to manage members, roles, and settings.

**Creator** – Can contribute within assigned teams without managing roles or access.

### Permissions summary

| Action                       | Owner | Member + admin | Member + creator |
| ---------------------------- | ----- | -------------- | ---------------- |
| Create, rename, delete teams | ✓     | ✗              | ✗                |
| Add and remove team members  | ✓     | ✓              | ✗                |
| Change member roles          | ✓     | ✓              | ✗                |
| Create and manage resources  | ✓     | ✓              | ✓                |

## Resource isolation

Resources are scoped to the team they were created in. When a user switches their active team, the resource lists (agents, fine-tuning jobs, deployments, files, and vector databases) update to show only what belongs to that team. API and SDK calls are similarly scoped to the active team, and requests for resources outside a user's teams are rejected. For how to select a team from the SDK, see [Work with teams](/flow/sdk/teams).

## Migration from single-user deployments

Existing users are migrated to an organization, and select users are assigned the Owner role. Existing resources move to each user's personal workspace. No teams are automatically created and no team roles are automatically assigned. Self-hosted customers need to upgrade to the version that includes role-based access control and perform the migration manually.