> For the complete documentation index, see [llms.txt](https://docs.kyso.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.kyso.io/settings-and-administration/permissions-system.md).

# Permissions System

## Introduction&#x20;

The following document describes how the permission system works at Kyso, which is highly customisable, in which we can create roles with fine-grained permissions to configure how your users can behave on the platform.&#x20;

## Platform Roles&#x20;

Kyso has default access controls on deployment. Below is a list of the predefined roles called **platform roles**. These roles are the most common ones, and are “self-explanatory”. The roles are the following:

* Platform / Account Admin
* Organization Admin
* Channel / Team Admin
* Channel Contributor
* Channel Reader

{% hint style="info" %}
Channels and Teams mean the same thing on Kyso so might be used interchangeably across the public documentation and Git repositories.
{% endhint %}

## Role Access Levels

### Table Legend

* 🎷 -> Only for the entities that the user owns or belongs to (comments, reports, repos, organizations, etc.). That means that users can’t perform these actions in other channels/discussions/reports/etc. in which he/she is not a member of nor owns it.
* 🔓 -> Only public channels accessed directly with the URL.

![Legend Part 1](/files/p0gQ7vLg5zrVVEblsdGU)

![Legend Part 2](/files/vndWntLhd4AQR7llvjBG)

![Legend Part 3](/files/bDttbaFTiy4qVcAjY84y)

![Legend Part 4](/files/z8j60hi557NhciBvTfJf)

## Platform Organisational Structure

### 1. Organizations

An **organization** is a management unit at Kyso to manage the permissions and the behaviour of users that belong to it. Consider that:

* Every user belongs to at least one organization
  * Every time a new user is created at Kyso, a new organization “{{username}}’s Workspace” is created (i.e. this is their personal workspace)
* A user can belong to more than one organization.

### 2. Channels / Teams

A **channel** is a management unit at Kyso, to manage the visibility and the behaviour of the users. Consider that:

* Every user belongs to at least one channel
  * Every time a new user is created, a new channel “{{usernames}}’ Private Team” is created and linked to “{{usernames}}’s Workspace”
* A user can belong to more than one channel
* A channel can be:
  * **Public**: Every user on the company's Kyso account can access that channel.
  * **Protected**: Only users that belong to the organization that owns the channel can access that channel.
  * **Private**: Only users with a specific invitation can access that channel

### 3. Reports

A **report** is an instance of an imported notebook (Jupyter, etc.) or other file type. All the data, comments, collaboration, etc. is done inside a report. Consider that:

* Every report belongs to a channel.

## Custom Roles&#x20;

The permission system allows the creation of new roles, with a specific bunch of permissions, in organization and channel scopes.&#x20;

{% hint style="info" %}
Contact our Support team for more info on this!
{% endhint %}

That means:

* An organization admin can create a new role that is only valid inside its organization
  * Then, the users that belong to that organization can be configured to use:
    * All the Platform Roles
    * The custom roles of that organization
* A channel admin can create a new role that is only in valid inside its channel.
  * Then the users that belong to that channel can be configured to use:
    * All the Platform Roles
    * The custom roles of the organization that owns the channel (if there is one)
    * The custom roles of that channel

## Authorization Hierarchy&#x20;

```md
.
└── Platform Roles
    └── Organization Roles
        └── Channel/Team Roles
```
