# Permissions (Roles) User permission levels are defined in [/config](/gravity-server/config.md) inside the permissions object. Here you can define a multi-level tier of user access levels. ### Default Permissions Out-of-the-box, Gravity includes **master** (for [Mission Control](/mission-control/introduction.md)), **owner**, **admin,** **user** and developer roles. ### Client Permissions The same permission object is included inside **client/src/permissions.json.** You must use both files, as the React client runs independently to the server. You can also define different permissions for the client UI if you need to. ## How Permissions Work The permission is stored in the JWT, so you can verify user actions at the API level based on this permission. The permission level is also stored in the UI context, so you can show or hide features depending on the user's permission level. {% hint style="danger" %} You should only use the permission stored in the client context for visceral purposes and **ALWAYS** use the API to control access. Savvy users can modify this permission and reveal hidden UI features. Using the API will prohibit them from performing an action they do not have permission to do. {% endhint %} ## What Each Permission Can Do Below is a breakdown of what each user permission can do by default. You can customise this logic to suit your own requirements. Each account can only have one owner but as many admins, users and developers as you need. ### Master * view all accounts and all users * edit any account and any user * view application logs * view user feedback ### Owner * can edit billing details * can close the account * can invite admins, users and developers * can promote a user to admin * can demote an admin to user * can edit admins, users and developers * can create, update and delete API keys ### Admin * can invite users * can edit users * can promote a user to admin ### User * can view/edit/delete data that they are permitted to ### Developer * everything a user can do plus update and delete API keys --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.usegravity.app/gravity-server/authorization/permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.