# Manage Users and Roles
Organization Admins can manage team members and their access levels from the **Admin** section of the Spyderbat Console, located at the bottom of the left-hand navigation panel.
{% hint style="info" %}
Only users with the **Admin** role can see the Admin section and manage other users.
{% endhint %}
## Adding a user
1. Navigate to **Admin > Organization Management**.
2. Enter the user's email address.
3. Select a role from the **Roles** drop-down.
4. Click **Add User**.
The user appears in the Accounts list and receives an email invitation to join your organization.
## Removing a user
Removing a user revokes their access to your organization. It does not delete their account — user accounts belong to the individual and can be members of multiple organizations.
1. In **Admin > User Management**, hover over the user's row.
2. Click the **delete** icon.
3. Confirm the removal.
{% hint style="info" %}
Removed users do not receive a notification email. If they have an active session, they are immediately logged out.
{% endhint %}
## Changing a user's role
1. In **Admin > Organization Management**, find the user in the Accounts list.
2. Click the **Roles** drop-down on that user's row.
3. Select the new role.
4. Deselect the old role.
5. Click **Save**.
{% hint style="info" %}
If you don't deselect the old role, the user has both roles assigned. The higher-permission role applies, which may grant more access than intended.
{% endhint %}
## Roles and permissions
Spyderbat has five organization-level roles. The table below summarizes what each role can access:
| Capability | **Admin** | **Power User** | **Non-API User** | **Agent Deployment** | **Read Only** |
| ---------------------------------------- | ----------- | -------------- | ---------------- | -------------------- | ------------- |
| Organization and user management | Full access | No access | No access | No access | No access |
| Source management and agent installation | Full access | Full access | Full access | View and add | View only |
| Agent health monitoring | Full access | Full access | Full access | View only | View only |
| Dashboards (view and create) | Full access | Full access | Full access | No access | View only |
| Search queries | Full access | Full access | Full access | No access | View only |
| Investigations (process and K8s) | Full access | Full access | Full access | No access | View only |
| Notification setup | Full access | No access | No access | No access | No access |
| Guardian policy management | Full access | Full access | Full access | No access | View only |
| API key creation | Full access | Full access | No access | Full access | No access |
### Admin
Full access to all console features. Admins can invite and remove users, change roles, manage sources, configure notifications, and perform all investigative and administrative actions.
{% hint style="warning" %}
Limit the number of Admin users in your organization. One or two Admins is typically sufficient.
{% endhint %}
### Power User
Full access to all console features except organization and user management. Power Users can manage sources, create dashboards, run searches, conduct investigations, and create API keys.
### Non-API User
Same access as Power User but cannot create API keys. Use this role for team members who need full console access without programmatic API access.
### Agent Deployment
A limited role for onboarding engineers responsible for installing Spyderbat Nano Agents. These users can view and add sources, access agent install scripts, and monitor agent health. They cannot access dashboards, search, or investigations.
### Read Only
View-only access to most console features — dashboards, sources, agent health, investigations, and search. Read Only users cannot modify data (e.g., rename sources, archive machines) and cannot access the Admin section.
