# Manage roles and permission levels
## Roles
{% hint style="info" %}
This feature is only available to the **Admin** permission level.
{% endhint %}
Roles can be created **(1)** in the *Roles* tab of your project settings:
To manage a role's permissions, click on it **(2)**:
{% hint style="warning" %}
If your project was created before February 2021, please visit [this page](https://docs.forestadmin.com/documentation/how-tos/maintain/migrate-to-the-new-role-system) to learn how to enable this feature.
{% endhint %}
The above screenshot shows your role's details page. This is where you'll be managing all permissions which should apply to all the users assigned to this role.
Permissions are displayed in 2 sections:
* *Smart Action permissions*
* *Collection permissions*
### Smart Action permissions
This section lets you to easily manage your Smart Action permissioins (for this role **only**). Click *Show more* **(1)** to display all permissions, or *Edit permissions* **(2)** to directly edit its Smart Action permissions.
* Trigger: Allow users assigned to this role to trigger this Smart Action
#### Approval workflow permissions
{% hint style="info" %}
You must be on a [Forest Admin Pro plan](https://www.forestadmin.com/pricing) to have access to this feature.
{% endhint %}
If you are using our approval workflow feature, your approval permissions are also managed within roles.
The following options become available if you are on the [Pro](https://www.forestadmin.com/pricing) plan or above:
* *Require approval*: Unlike Trigger, the Smart Action will not be executed unless manually approved
* *Approve*: Allow users assigned to this role to [approve a trigger request](https://docs.forestadmin.com/user-guide/collections/actions/create-and-manage-smart-actions#review-approval-requests)
* *Self Approve*: Allow users assigned to this role to approve their own trigger request
#### Conditional permissions
{% hint style="info" %}
In addition to the **Pro** plan, this feature requires a minimum agent version to be installed.
{% endhint %}
Your processes likely depend on your data: for instance, a $1,000 refund is more sensitive than a $10 refund. You probably want to authorize your operators to trigger $10 refunds, but not $1,000 or more. This is now possible within the permissions page:
To achieve this, go to the permissions edit page and click on the filter icon:
{% hint style="warning" %}
Permission changes may take up to **15** minutes to apply.
{% endhint %}
That's it! Your operators may now refund without approval for an amount up to $1,000, but any refund of a higher amount will require an approval.
{% hint style="info" %}
The same feature is available for **Trigger** and **Approve** permissions: use the corresponding filter icons to input the conditions you want.
{% endhint %}
### Collection permissions
*Collection permissions* allow you to enable/disable the following collection-specific permissions:
* *Read (list)*: access to the collection's [Table View](https://docs.forestadmin.com/user-guide/getting-started/master-your-ui/the-table-view) data. Note that the collection must also be [shown in the layout](https://docs.forestadmin.com/user-guide/getting-started/master-your-ui/using-the-layout-editor-mode) to be displayed.
* *Read (details)*: access to the [Details View](https://docs.forestadmin.com/user-guide/getting-started/master-your-ui/using-the-layout-editor-mode/customize-the-details-view) (and Summary View) data of any record of this collection.
* *Create*: create a record of this collection (N.B: the "Duplicate" action is also managed by this permission)
* *Update*: update a record of this collection
* *Delete*: delete a record of this collection
* *Export*: export the list of records of this collection
### Default permissions
*Default permissions* allow you to choose default permissions for each newly created Collection or Smart Action.
Here is the initial configuration for a new role:
Smart Actions:
| Permission | Value |
| ---------------- | :------------------: |
| Trigger | :heavy\_check\_mark: |
| Require approval | - |
| Approve | - |
| Self approve | - |
Collections:
| Permission | Value |
| -------------- | :------------------: |
| Read (list) | :heavy\_check\_mark: |
| Read (details) | :heavy\_check\_mark: |
| Create | :heavy\_check\_mark: |
| Update | :heavy\_check\_mark: |
| Delete | :heavy\_check\_mark: |
| Export | :heavy\_check\_mark: |
{% hint style="info" %}
For projects with high security standards, although this involves more frequent manual activation, it is advisable to reduce these default permissions, at least for your production environment. Il will avoid excessive accesses being automatically granted to operators, when a new Collection or Smart Action is released.
{% endhint %}
### Control environment access per role
From a role's details page, you can also:
* toggle which environments users assigned to this role have access to **(1)**
* select which environment you wish to view permissions of or edit them **(2)**
**Only remote environments** are available here, since development environments have all permissions.
### Export role permissions
At anytime you may export your user role permissions to a CSV file by clicking on *Export user permissions* from the *Users* tab:
It contains User information **(1)**, Smart Action name **(2)** and Collection name **(3).** Granted permissions **(4)** are as follows:
* *empty*: the user is not authorized to use that Smart Action as part of that team
* *trigger*: the user can trigger that Smart Action
* If the [approval workflow module](https://docs.forestadmin.com/user-guide/collections/actions/create-and-manage-smart-actions#require-approval-for-a-smart-action) is enabled:
* *request*: the user can ask for an approval to trigger that Smart Action
* *request/approve*: the user can ask for an approval to trigger that Smart Action and can approve requests of this Smart Action except his own
* *request/approve(self)*: the user can ask for an approval to trigger that Smart Action and can approve requests of this Smart Action including his own
### Copy role permissions across environments
Setting up role permissions can take a lot of time, especially if you need to do it all over again for another environment.
This is why we've implemented the "Copy role permissions across environments" feature. In a few clicks, you can apply the permissions of **all roles** of an environment to another environment.
To use it, go to: Project Settings → Roles → Actions.
## Permission level
The permission level of a user determines what Forest Admin administration permissions he has. You can assign one of the following *permission levels* per user:
| Forest Admin permission level | Manage Data | Manage [Inboxes](https://docs.forestadmin.com/user-guide/other-tabs/collaboration/distribute-tasks-with-inboxes) | Customize admin UI (activate layout editor) | Manage Environments and Development Workflow actions | Manage Teams, Users, Roles |
| ----------------------------- | -------------------- | ---------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | ---------------------------------------------------- | -------------------------- |
| **Admin** | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: |
| **Developer** | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: | |
| **Editor** | :heavy\_check\_mark: | :heavy\_check\_mark: | :heavy\_check\_mark: | | |
| **Manager** | :heavy\_check\_mark: | :heavy\_check\_mark: | | | |
| **User** | :heavy\_check\_mark: | | | | |
## Manage a user's role and permission level
You can change a user's role or permission level from their details page:
1. Go to the *Users* tab of your Project settings
2. Click on a user in the list
3. Change the role and/or permission level assigned to that user
4. Don't forget to save
