> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Users & Access

> Roles, permissions, and how access control works in Cysmiq.

## Overview

Users are workspace members with assigned roles. Each role grants a set of permissions that control what actions a user can take. Your VCS identity (GitHub or GitLab account) can also be linked to your Cysmiq user to sync repository-level permissions.

## Roles

Each workspace has predefined roles with different permission levels:

| Role                  | Description                                                                                     |
| --------------------- | ----------------------------------------------------------------------------------------------- |
| **Owner**             | Full workspace access. Can manage all settings, users, integrations, and billing.               |
| **Admin**             | Manage repositories, vulnerabilities, and reports. Cannot manage members or billing.            |
| **Security Engineer** | Vulnerability management, scanning, and reports. Focused on security operations.                |
| **Reporting**         | Read-only access to repositories, vulnerabilities, and reports.                                 |
| **Developer**         | Base role with permissions inherited from VCS. See [VCS permission sync](#vcs-permission-sync). |

<Info>
  Users provisioned through VCS are assigned the Developer role by default.
</Info>

## VCS identity linking

When you authenticate with GitHub or GitLab, your VCS identity can be linked to your Cysmiq user. This enables:

* **Automatic permission sync**: your repository access in GitHub/GitLab maps to Cysmiq permissions
* **Attribution**: vulnerabilities can be attributed to the developer who introduced them
* **VCS login**: sign in with GitHub when enabled for the workspace

## VCS permission sync

For users with the Developer role, permissions are inherited from your VCS platform:

| GitHub Permission | Cysmiq Access                                             |
| ----------------- | --------------------------------------------------------- |
| Read              | View repository                                           |
| Write             | View/edit repository, trigger scans, view vulnerabilities |
| Admin             | Full repository and vulnerability access                  |

| GitLab Permission | Cysmiq Access                                                  |
| ----------------- | -------------------------------------------------------------- |
| Guest             | View repository                                                |
| Reporter          | View repository, trigger scans, view vulnerabilities           |
| Developer         | View/edit repository, trigger scans, view/edit vulnerabilities |
| Maintainer/Owner  | Full repository and vulnerability access                       |

## Permission structure

Permissions follow a `domain:action:resource` pattern:

* `repository:view:*`: view all repositories
* `vulnerability:edit:repo-123`: edit vulnerabilities in a specific repository
* `user:invite`: invite new users to the workspace

This structure allows both broad role-based access and fine-grained repository-level permissions.

## Related guides

* [Managing members](/guides/members)
