> ## Documentation Index
> Fetch the complete documentation index at: https://capy.sc/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Capy Roles: Owner, Admin, Project Admin, Member

> Four organization-level roles in Capy: Owner, Admin, Project Admin, Member. Change roles in the capy users TUI or restrict per-project access via grants.

Capy has four org-level roles. The first three are chosen at invite time; **Owner** is implicit - the person who created the org.

| Role              | What they can do                                                                                      |
| ----------------- | ----------------------------------------------------------------------------------------------------- |
| **Owner**         | Everything. Creator of the org. Holds the seed phrase. Cannot be kicked.                              |
| **Admin**         | Invite, kick, manage any project, create projects, manage billing.                                    |
| **Project Admin** | Manage projects they own: create branches, invite to specific projects, but not manage the whole org. |
| **Member**        | Read and write secrets in org-wide branches they have access to.                                      |

## Choosing a role at invite time

```bash theme={null}
capy invite alice@example.com
```

Capy prompts:

```
? What role should alice@example.com have?
  ❯ Member
    Project Admin
    Admin
```

## Changing roles after the fact

`capy users` opens an interactive members list - Capy's TUI for inspecting and editing roles in the org. Press `r` on a row to change that user's role, `Enter` to expand a member and see their per-project roles and protected-branch grants.

```text theme={null}
  Organization Members (3 users)

  Email                          Role           Added         Projects
  ─────────────────────────────────────────────────────────────────────
> alice@acme.com                 owner          2025-01-15    2 projects
  bob@acme.com                   member         2025-02-03    1 project
  carol@acme.com                 admin          2025-03-10    2 projects
  ─────────────────────────────────────────────────────────────────────
   ↑↓ navigate  Enter expand/collapse  r change role  g grant protected  q quit
```

When you press `r`, an inline picker replaces the role cell with the available options. Pick one and the change applies immediately.

```text theme={null}
  Email                          Role           Added         Projects
  ─────────────────────────────────────────────────────────────────────
  alice@acme.com                 owner          2025-01-15    2 projects
> bob@acme.com                   ❯ admin                      1 project
                                   project-admin
                                   member
  ─────────────────────────────────────────────────────────────────────
   ↑↓ pick role  Enter confirm  Esc cancel
```

Expanding a member with Enter shows the projects they belong to plus any protected branches they hold a grant on, and lets you change their per-project role from the same view.

## Protected branches narrow access further

Org-level role and **protected-branch membership** are two separate things. An Admin doesn't automatically have access to every protected branch - they still need to be granted access to each protected branch individually. The org role controls who can *invite*; protected-branch membership controls who can *decrypt*.

## What's next

<Columns cols={2}>
  <Card title="Inviting users" icon="user-plus" href="/using/team/inviting" horizontal>
    The redeem-code flow.
  </Card>

  <Card title="Protected branches" icon="shield" href="/using/branches/protected" horizontal>
    Per-branch access lists.
  </Card>
</Columns>
