> For the complete documentation index, see [llms.txt](https://docs.nuvolos.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.nuvolos.com/concepts/roles-secrets-and-identity/roles.md). # How roles are organised Nuvolos uses a role-based system that aligns with the platform's organisational hierarchy. Each level - organisation, space, instance - has its own roles, designed to match the responsibilities that level represents. Roles are granted via invitations: a user with granting capability sends an invitation, the recipient confirms by clicking the link, and the role is granted. There are also resource pool roles, which sit alongside the hierarchy roles and govern budgeting rather than content access. {% hint style="info" %} To better understand how roles work, we recommend familiarizing yourself with [Nuvolos' organisational structure](/concepts/nuvolos-basic-concepts/organisational-hierarchy.md) first. {% endhint %} ## Resource pool roles [Resource pools](/billing/resource-pools-and-budgets.md) serve as cost centres and accounting units on Nuvolos. There are two roles: * **Manager -** can assign resource pools to projects, invite other managers, transfer Credits, and review the full utilisation of all mapped content. * **Member -** has no active capability. Members are users who at the current time are using resources mapped to the resource pool. ## Organisation level roles Organisations serve as high level structural units in Nuvolos. Each organisation comes with a default resource pool. Users in an organisation can have one of four roles: * **No role** - users without a role in an organisation cannot view any content within it. Organisation managers can revoke roles when needed. * **Member** - users invited to participate in any space within the organisation. Members can view Public Spaces, access content they are specifically invited to, and automatically receive Instance Observer status in dataset Spaces with Public visibility. The member role indicates that the user has an established connection with the organisation. * **Faculty** - users who manage and control resources within the organisation. * Create new spaces and invite users to those spaces (creators automatically become ***space administrators***) * Automatically receive **Instance Viewer** status in Dataset spaces with Public and Faculty-only visibility * Automatically become ***space administrators*** in Research and Course spaces with Faculty-only visibility * Distribute licensed content to other users - a powerful capability that supports collaboration * **Manager** - organisation managers oversee resources and control membership across the organisation. * Create new spaces and invite users (creators automatically become *space administrators*) * They receive a ***resource pool manager*** role to the default resource pool of the organisation. * As a resource pool manager, monitor resource usage across the entire organisation (though they can only view and modify content in spaces where they have Space or Instance roles). * Automatically become ***space administrators*** in Dataset spaces with Public and Faculty-only visibility, and in Research and Course spaces with Faculty-only visibility. * Invite additional faculty members or organisation managers. * Revoke access to organisational resources when necessary. * [Remove derelict projects](/administration/space-management.md#delete-a-space). ## Space level roles Every space has one special elevated role: **space administrator**. Other users access a Space through editor or viewer roles in one or more Instances within that Space. Space administrators have full administrative control within their space. They can: * View and edit every instance in the space and take any action in them (related to files, tables, applications). * Create and delete snapshots. * Invite users to instances as editors or viewers. * Create new instances within the space. * Change space configurations (secrets, quotas, resource mapping if sufficient resource pool roles are available). ## Instance level roles Three roles control access within an Instance: * **Instance Editor** \* Modify the contents of the **current state** of an instance. * Edit instance name and description (except for Master and Distributed instances). * Upload and download files. * Run applications. * Create snapshots of the instance's current state. * Distribute to the instance from another location where they are at least **Instance Viewers**. * **Instance Viewer** \* View the contents of snapshots in the instance, * Write queries against data, * Distribute from the instance to another location where they are at least **Instance Editors**. * **Instance Observer** - This role exists only in dataset Spaces, where it makes datasets discoverable while keeping their contents access-controlled. * View the README.md file at the root of the instance's Workspace files * Request viewer roles for the instance ## Combined capability summary The following capabilities are available to each role *across* the Nuvolos hierarchy. Capabilities are additive - for example, an organisation manager who is also an Instance Editor in a specific Instance has both sets of capabilities.
CapabilityRequired role(s)
Create a new SpaceFaculty or Organisation manager (becomes space administrator on creation)
Delete a SpaceSpace administrator of that Space
Invite faculty / org managersOrganisation manager
Invite to a SpaceSpace administrator
Create a new Instance in a SpaceSpace administrator
Delete an InstanceSpace administrator (Master and Distributed Instances cannot be deleted)
Invite to an Instance as Editor/ViewerSpace administrator
Modify Instance name and descriptionInstance Editor (not Master/Distributed)
Modify content in current stateInstance Editor
Create snapshotsInstance Editor or Space administrator
Run ApplicationsInstance Editor (or Space administrator, who inherits Editor rights everywhere)
Distribute to an InstanceInstance Editor in the target
Distribute from an InstanceAt least Instance Viewer in the source
Set account secretsAny user (for their own account)
Set Space secretsSpace administrator
Set organisation secretsOrganisation manager
Transfer Credits between resource poolsResource pool manager in both source and target pool
Modify resource pool mappingsResource pool manager
Map a Space to a resource poolSpace administrator AND Resource pool manager in target pool
Enable additional services (org level)Organisation manager (and must be enabled at resource pool level first)
Enable additional services (Space level)Space administrator (and must be enabled at organisation level first)
Approve Instance Observer access requestsOrganisation manager
Revoke an organisation memberOrganisation manager
Delete an orphan SpaceResource pool manager
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.nuvolos.com/concepts/roles-secrets-and-identity/roles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.