# User Roles & Access

Access to functionality and data in AppControl is divided into 2 parts:

* **User Roles.** User roles grant access to AppControl functionality and the ability to manage system data, but do not (except for the Platform Administrator role) give access to specific apps.
* **App Roles.** Assigning users to apps gives them access to view and manage those apps, based on the user roles that have been assigned to them.

This means that to use AppControl a user needs both a specific user role, and also needs to be assigned to 1 or more apps (otherwise the user will have rights to perform actions and view data, but there will not be any apps visible to view or manage).

### User Roles

There are 6 different user roles in AppControl:

<table><thead><tr><th width="161">Role</th><th>Can manage</th><th>Can view</th></tr></thead><tbody><tr><td><strong>Platform Administrator</strong></td><td>Manage system settings, Manage groups, App Access, All Policies, All Pipelines, All Tasks</td><td>All apps, policies, releases, tasks, repository information.</td></tr><tr><td><strong>Group Administrator</strong></td><td>Manage group members, App Access for apps in group, Group Policies, Group Pipelines, App Pipelines (in group), Group Tasks, App Tasks (in group)</td><td>In groups where assigned as Group Admin: all apps, policies, releases, tasks, repository information.</td></tr><tr><td><strong>App Administrator</strong></td><td>App Policies, App Pipelines, App Tasks</td><td>All apps in groups where assigned as Group Member, All apps where assigned as App Member.</td></tr><tr><td><strong>App Viewer</strong></td><td>View only</td><td>All apps in groups where assigned as Group Member, All apps where assigned as App Member.</td></tr><tr><td><strong>Policy Viewer</strong></td><td>App &#x26; Data Policies for apps where assigned as App Administrator</td><td>Policy Dashboard and Insights for apps where App Member.</td></tr><tr><td><strong>No Access</strong></td><td>None</td><td>None</td></tr></tbody></table>

### App Roles

There are 4 different app roles in AppControl:

<table><thead><tr><th width="161">Role</th><th>Can manage</th><th>Can view</th></tr></thead><tbody><tr><td><strong>App Owner</strong></td><td>App Info, Approve Releases</td><td>Policy*, release, task, environment and repository information. </td></tr><tr><td><strong>App Administrator</strong></td><td>App Policies*, App Pipelines, App Tasks, Create Releases, Approve Releases</td><td>Policy*, release, revision, environment, configuration, task and repository information. </td></tr><tr><td><strong>App Member</strong></td><td>None.</td><td>Policy*, release, environment, task and repository information. </td></tr><tr><td><strong>App Operator</strong></td><td>Create Releases (can be restricted to specific environment types)</td><td>Release information</td></tr></tbody></table>

**\*Note:** Users with the Policy Viewer user role only have access to the items marked with (\*) above when assigned the respective app role.

Users can be assigned app roles through the following means:

* **App Group Membership.** If a user is a member of a group they automatically gain the App Member role for all apps that are a member of that group. Group membership is managed by Group Administrators via the Administration > App Groups page. For more information on assigning users to groups see the [App Groups](/administration/app-groups.md) page of this documentation.
* **User Group Membership.** If a user is a member of a user group, they can view all apps that are a member of that group. In addition they may have additional rights depending on whether they have been assigned the App Owner, App Administrator or App Operator role. User group membership is managed by Platform Administrators via the Administration > Access Groups page, or by Group Administrators from the Group Administration page. For more information on assigning users to user groups see the [User Groups](/administration/user-groups.md) page of this documentation.&#x20;
* **Specific App Access.** If a user is assigned as an App Owner, App Administrator, App Member or App Operator for a specific app, they will be able to see that app. For more information on assigning a user to a specific app see the [Apps](/dashboards/alerts.md) page of this documentation.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bluestorm.io/overview/user-roles-and-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.