# Flex Conversations Roles Flex Conversations use [Conversations API roles](/docs/conversations/api/role-resource) to manage participant permissions when adding participants to a Conversation or when using the [Conversations SDK](/docs/conversations/sdk-overview) to connect. The Role Resource represents what a [User](/docs/conversations/api/user-resource) (e.g. agent, admin, supervisor) can do within the Conversation Service and individual Conversations. Roles are scoped to either a [Service](/docs/conversations/overview#what-is-a-service) or a [Conversation](/docs/conversations/overview#what-is-a-conversation). ## Flex Conversation Service Users are assigned a Role at the Service level. This determines what they can do within the Conversation Service instance, such as creating and destroying Conversations within the Service. Participants are assigned a Role at the Conversation level. This determines what they are able to do within a particular Conversation, such as inviting Participants to be members of the Conversation, posting Messages, and removing other Participants from the Conversation. ## Which Roles does Flex create out-of-the-box? Flex creates the Conversation Service and adds the following Service and Conversation Roles during the initial Flex account setup. ### Service Roles **Role**: **admin** **Default Permissions**: * joinConversation * deleteConversation * addParticipant * removeParticipant * editConversationAttributes * editOwnUserInfo * editAnyUserInfo **Role**: **supervisor** **Default Permissions**: * joinConversation * addParticipant * removeParticipant * editOwnUserInfo ### Conversation Roles **Role**: **guest \[DEFAULT]** **Default Permissions**: * sendMessage * sendMediaMessage * leaveConversation **Role**: **agent** **Default Permissions**: * editConversationAttributes * sendMessage * sendMediaMessage * leaveConversation * editOwnMessage * editOwnMessageAttributes * deleteOwnMessage **Role**: **admin** **Default Permissions**: * editConversationAttributes * sendMessage * sendMediaMessage * leaveConversation * editOwnMessage * editOwnMessageAttributes * deleteOwnMessage * editAnyMessage * editAnyMessageAttributes * deleteAnyMessage **Role**: **supervisor** **Default Permissions**: * editConversationAttributes * sendMessage * sendMediaMessage * leaveConversation * editOwnMessage * editOwnMessageAttributes * deleteOwnMessage * editAnyMessage * editAnyMessageAttributes * deleteAnyMessage ## How does Flex use these Roles? The first time a [worker](/docs/flex/admin-guide/core-concepts/routing#workers) logs in, Flex creates a corresponding Conversation User. * For workers authenticating through the Twilio Console, the corresponding Flex Conversation Service User will be created with the admin role. * For workers authenticating via a third-party IdP (identity provider), Flex creates a corresponding Conversation Service User according to their [SSO role](/docs/flex/admin-guide/setup/sso-configuration#identity-attributes-and-flex-roles): agent, supervisor, or admin. Once a worker logs in successfully, the Flex UI initializes the Conversations SDK with a token that includes the grants: * The token includes Flex Roles grants based on the user role (**agent/supervisor/admin**) that is set in the IdP. * The Conversation User **Service Role** is updated (in the Conversations Users database) based on the Flex Role grants (an agent can be promoted to a supervisor, or vice versa). ## Known limitations * Regardless of what role you have as a Flex user, Flex Conversations uses the default configured role — **guest** — when adding the user to a Conversation or Chat Task. * [Conversations limits](/docs/conversations/conversations-limits) also apply to Flex Conversations limits.