# Roles ## What are Roles? Roles are used to assign access rights. With roles, you can granularly control which [-> users](/collection/mandatory-base/platform-core/workspace-and-identity/users.md) can access which functions of BuildingPro Suites. You can allow users to use only the functions you have defined. You can prohibit the use of other functions. ## How do Roles Work? You create a role and configure read and write permissions within this role. You then assign this role to one or more users within a tenant. The users with this role are then only allowed to perform actions that the role permits in that tenant. By assigning a role to multiple users, you can quickly and easily create user groups. ## One Role Per Tenant Roles follow a single role model per tenant. Each user has exactly one role per tenant. This means: * a user can have different roles in different tenants * within one tenant, a user can only have one active role * when a user is invited or assigned to a tenant, a role is assigned in that tenant All permissions are managed through this single role model. ### Automatic Role Assignment When a user is invited or assigned to a tenant, they receive one role in that tenant. If a user is assigned to multiple tenants, the user can have a different role in each tenant. ## Permissions The following permissions can be set for each individual role: ### Read Permission When read permission has been granted, users can see entries and menu items but cannot change them. When **no** read permission has been granted, users can **NOT** see entries. {% hint style="info" %} By not granting read permissions, you can completely hide individual menu items from users. {% endhint %} ### Write Permission When write permission has been granted, a user can enter values, delete objects, and create new ones. Write permission can only be granted if read permission exists. It is not possible to have write permission without read permission. ### "Manage" Permission This permission is available within the role configuration for supported areas. When this permission is activated, a user can copy the following elements to other users: 1. Dashboards 2. Analytics 3. Reports 4. Smart Views --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.buildings.ability.abb/collection/mandatory-base/platform-core/workspace-and-identity/roles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.