# Role-Based Access Control (RBAC)
Role-Based Access Control enables organizations to manage user permissions\
across projects and environments. The system restricts feature access based on assigned user roles, supporting data governance requirements.
### Roles
Freshpaint provides five user roles with distinct permission levels.
* **Admin:** Full administrative access including user management, project/environment creation, and HIPAA allowlist configuration.
* **Data Manager**: Elevated data access with the ability to view and modify PHI allowlists, and configure consent management settings.
* **General User:** Standard operational access for configuring destinations and events. General users have PHI visibility, but no ability to modify allowlists or consent settings.
* **Event Manager**: Focused access for managing event tracking and integrations without access to PHI or form submissions.
* **Data Viewer**: Read-only access limited to viewing analytics dashboards and\
reports.
#### User Permissions by Role
| Feature | Admin | Data Manager | General User | Event Manager | Data Viewer |
| ----------------------------- | ----- | ------------ | ------------ | ------------- | ----------- |
| **PHI Access** | ✅ | ✅ | ✅ | ❌ | ❌ |
| **Allowlist (modify)** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **Destinations** | ✅ | ✅ | ✅ | ✅ | ❌ |
| **Event Library** | ✅ | ✅ | ✅ | ✅ | ❌ |
| **Audiences (view)** | ✅ | ✅ | ✅ | ✅ | ❌ |
| **Audiences (edit)** | ✅ | ✅ | ✅ | ❌ | ❌ |
| **Forms *****(beta)*** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **Consent Management (view)** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **Consent Management (edit)** | ✅ | ✅ | ❌ | ❌ | ❌ |
| **Analytics** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **Audit Log** | ✅ | ❌ | ❌ | ❌ | ❌ |
| **Web Tracker Monitoring** | ✅ | ✅ | ✅ | ✅ | ❌ |
| **Video** | ✅ | ✅ | ✅ | ✅ | ❌ |
| **Offline Attributions** | ✅ | ✅ | ✅ | ✅ | ✅ |
| **Live View** | ✅ | ✅ | ✅ | ❌ | ❌ |
| **Visual Editor** | ✅ | ✅ | ✅ | ✅ | ❌ |
### Access to Projects and Environments
Users can see the environments they have access to in the left navigation panel in Freshpaint. Admins always have access to all environments, and can grant access to specific environments to specific users.
When a new environment is created, **all users have access by default**. An admin must explicitly restrict access via the Teams page.
#### Granting Environment Access
To invite new users:
1. Navigate to **Settings** → [**Team Members**](https://app.freshpaint.io/settings/team)
2. Click **Add Teammate**
3. Enter the user's email address
4. Select their role from the list
5. If non-Admin, select the projects and environments they can access
6. Click Send Invite
{% hint style="info" %}
The invite link expires after one week. Users should check their spam folder if they don't see the email.
{% endhint %}
To grant access to existing users,
1. Navigate to **Settings** → **Team Members**
2. Select the user to configure
3. Under **Environment Access**, select the projects and environments
4. Click **Save**
### Access to Freshpaint Audiences
{% content-ref url="../../audiences/rbac-for-audiences" %}
[rbac-for-audiences](https://documentation.freshpaint.io/audiences/rbac-for-audiences)
{% endcontent-ref %}
