# User Roles and Permissions

PerfAgents follows a **simple, secure, single-organization access model** designed to keep ownership clear and permissions predictable.

### Organization Model

* Every PerfAgents account supports **exactly one organization**
* **One user can belong to only one organization**
* Each organization has **one mandatory Org Owner**

This model applies **uniformly across all self-served plans** (Free, Basic, or Business).

### Available Roles

PerfAgents supports **two predefined roles** within an organization:

1. Org Owner
   1. Automatically created during organization onboarding
   2. Limited to **one Org Owner per organization**
   3. Holds **full administrative control** over the organization, including users, projects, and settings
2. Member
   1. Added to the organization **only via an invite** from the Org Owner
   2. Granted access **after the invite is accepted**
   3. Does **not** have access to any projects by default and must be explicitly assigned

### Role Capabilities Overview

| Capability Area        | Org Owner                                   | Member                                                          |
| ---------------------- | ------------------------------------------- | --------------------------------------------------------------- |
| Organization settings  | Manage organization settings                | —                                                               |
| User management        | Invite and remove users                     | —                                                               |
| Project management     | Create and delete projects                  | —                                                               |
| Project access control | Assign users to projects                    | —                                                               |
| Subscription & billing | Manage plan, billing, and subscriptions     | —                                                               |
| Project access         | Access all projects within the organization | Access only explicitly assigned projects                        |
| Load testing           | Create, update, and execute load tests      | Create, update, and execute load tests (assigned projects only) |
| Monitoring             | Create, update, and execute monitoring      | Create, update, and execute monitoring (assigned projects only) |
| Results & reports      | View test results and reports               | View test results and reports (assigned projects only)          |

### Key Enforcement Rules

1. Org Owner role is **mandatory and unique**
2. Members have **no implicit project access**
3. All access is validated against:
   1. Role
   2. Project assignment
   3. Active subscription state

This ensures consistent, secure access control across all plans and subscription states

### Note

1. **Free, Basic, and Business plans** support the same role model
2. **Enterprise plans** additionally support:
   1. Advanced access controls
   2. Flexible permission management
3. Role permissions are **independent of plan limits** (projects, members, executions)