> ## Documentation Index
> Fetch the complete documentation index at: https://ona.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Organization roles

<Note>Available on the Enterprise plan. [Contact sales](https://ona.com/contact/sales) to learn more.</Note>

Organization roles let you delegate administrative and read-only responsibilities without granting full organization admin access. Assign these roles to [groups](/ona/organizations/groups) to give team members role-specific capabilities across the organization.

## Available roles

| Role                  | Description                                               |
| --------------------- | --------------------------------------------------------- |
| **Runners Admin**     | Full admin access to all runners in the organization      |
| **Projects Admin**    | Full admin access to all projects in the organization     |
| **Groups Admin**      | Full admin access to all groups in the organization       |
| **Automations Admin** | Full admin access to all automations (services and tasks) |
| **Insights Viewer**   | Read-only access to Insights and project insights data    |
| **Audit Log Reader**  | Read-only access to audit logs                            |
| **Billing Viewer**    | Read-only access to billing and usage information         |

## How it works

When you assign an organization role to a group:

1. All group members receive the role's capabilities
2. Resource-scoped roles apply to existing and future resources where relevant
3. Removing the role revokes the related access

This differs from [Sharing resources](/ona/organizations/sharing-resources), which grants access to specific projects or runners one at a time.

## Assign an organization role

Only organization admins can assign organization roles.

1. Go to **Settings → Members → Groups**
2. In the groups table, find the group you want to modify
3. Toggle the checkbox in the corresponding role column, such as **Runners Admin**, **Insights Viewer**, or **Billing Viewer**

The role is applied immediately when the checkbox is toggled.

<img src="https://mintcdn.com/gitpod-13c83c2b/p3fxpb4g8LzRcRvi/images/docs/flex/organizations/groups/organization-roles-table.webp?fit=max&auto=format&n=p3fxpb4g8LzRcRvi&q=85&s=58cb5a086e9095a0b70d656693938db9" alt="Groups table showing organization role checkbox columns" width="3633" height="2624" data-path="images/docs/flex/organizations/groups/organization-roles-table.webp" />

## Permissions by role

### Runners Admin

Members of groups with this role can:

| Permission                          | Granted               |
| ----------------------------------- | --------------------- |
| View all runners                    | <Icon icon="check" /> |
| Create runners                      | <Icon icon="check" /> |
| Update runner settings              | <Icon icon="check" /> |
| Delete runners                      | <Icon icon="check" /> |
| Share runners with users and groups | <Icon icon="check" /> |
| Manage environment classes          | <Icon icon="check" /> |
| Manage SCM and LLM integrations     | <Icon icon="check" /> |
| Access runner logs                  | <Icon icon="check" /> |

### Projects Admin

Members of groups with this role can:

| Permission                           | Granted               |
| ------------------------------------ | --------------------- |
| View all projects                    | <Icon icon="check" /> |
| Create projects                      | <Icon icon="check" /> |
| Update project settings              | <Icon icon="check" /> |
| Delete projects                      | <Icon icon="check" /> |
| Share projects with users and groups | <Icon icon="check" /> |
| Manage project secrets               | <Icon icon="check" /> |
| Configure environment classes        | <Icon icon="check" /> |
| Manage prebuilds                     | <Icon icon="check" /> |

### Groups Admin

Members of groups with this role can:

| Permission                   | Granted               |
| ---------------------------- | --------------------- |
| View all groups              | <Icon icon="check" /> |
| Create groups                | <Icon icon="check" /> |
| Update group settings        | <Icon icon="check" /> |
| Delete groups                | <Icon icon="check" /> |
| Add and remove group members | <Icon icon="check" /> |

### Automations Admin

Members of groups with this role can:

| Permission                              | Granted               |
| --------------------------------------- | --------------------- |
| View all automations                    | <Icon icon="check" /> |
| Create automations                      | <Icon icon="check" /> |
| Update automation settings              | <Icon icon="check" /> |
| Delete automations                      | <Icon icon="check" /> |
| Share automations with users and groups | <Icon icon="check" /> |
| View all execution history              | <Icon icon="check" /> |

<Note>
  This role does not grant webhook management permissions. Creating and managing [webhooks](/ona/automations/webhooks) for automation triggers requires organization admin access.
</Note>

### Insights Viewer

Members of groups with this role can:

| Permission                                                 | Granted               |
| ---------------------------------------------------------- | --------------------- |
| View the Insights page                                     | <Icon icon="check" /> |
| View organization platform usage                           | <Icon icon="check" /> |
| View Velocity and AI Adoption metrics for enabled projects | <Icon icon="check" /> |
| Enable or disable project insights                         | <Icon icon="xmark" /> |

<Note>
  Insights Viewers can only view data. Organization admins are required to enable project insights before Velocity and AI Adoption data appears.
</Note>

### Audit Log Reader

Members of groups with this role can:

| Permission                                  | Granted               |
| ------------------------------------------- | --------------------- |
| View [audit logs](/ona/audit-logs/overview) | <Icon icon="check" /> |
| Query audit logs from the CLI               | <Icon icon="check" /> |
| Change organization settings                | <Icon icon="xmark" /> |

### Billing Viewer

Members of groups with this role can:

| Permission                                                                               | Granted               |
| ---------------------------------------------------------------------------------------- | --------------------- |
| View the [Billing](/ona/billing/overview) page where available for the organization tier | <Icon icon="check" /> |
| View the [Cost & Budgets](/ona/billing/usage) page                                       | <Icon icon="check" /> |
| Export usage reports where export is available                                           | <Icon icon="check" /> |
| Change subscriptions, payment methods, top-ups, or team budgets                          | <Icon icon="xmark" /> |

<Note>
  Billing Viewers can only view billing and usage information. Organization admins are required for billing changes, credit top-ups, and budget management.
</Note>

## Use cases

**DevOps team manages infrastructure**: Assign Runners Admin to a "DevOps" group so they can create and configure runners without full org admin access.

**Team leads manage their projects**: Assign Projects Admin to a "Tech Leads" group so they can manage project settings and secrets across the organization.

**HR manages team membership**: Assign Groups Admin to an "HR" group so they can add and remove members from groups as people join or leave.

**Platform team manages automations**: Assign Automations Admin to a "Platform" group so they can create and maintain organization-wide automations.

**Security team reviews audit logs**: Assign Audit Log Reader to security or compliance staff who need audit history without organization admin access.

**Finance team reviews billing and usage**: Assign Billing Viewer to finance stakeholders who need read-only access to billing and usage data without payment or budget controls.

**Engineering leaders review delivery metrics**: Assign Insights Viewer to stakeholders who need read-only access to organization insights without project or runner administration permissions.

## Combining roles

A group can have multiple organization roles. For example, a "Platform Engineering" group might have both Runners Admin and Automations Admin roles.

When a user belongs to multiple groups with different roles, they receive the combined permissions from all their groups.

## Next steps

* [Create groups](/ona/organizations/groups) to organize your team
* [Share resources](/ona/organizations/sharing-resources) for fine-grained access control
* [Manage members](/ona/organizations/manage-members) to invite teammates