# Roles
A role gives a user access to resources within a workspace. Roles are additive, and can combine to configure a custom policy for a Team Member or a Group. A policy is at least one role plus one resource applied to an individual user or group.
> \[!NOTE]
>
> When a user has both User Permissions and Group Permissions, they will have the highest access given to either of those roles.
## Global roles
All Segment workspaces have the following roles, regardless of account type.
| Role | Details |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Workspace Owner | Owners have full read and edit access to everything in the workspace, including sources, destinations, add-on products, and settings. Owners have full edit access to all team permissions. |
| Workspace Member | Members inherit custom permissions based on [individual roles](#business-tier-roles) assigned. |
| Source Admin | Source admins have edit access to:
- assigned source(s)
- the settings for that source
- any connected streaming destinations
- Schema
- live data from the source in the [debugger](/docs/segment/connections/sources/debugger/)
- the source's [write key](/docs/segment/connections/find-writekey/)
A user with the Source Admin role can get access to either all current and future sources, or a specific list of sources, or (if you're on a Business plan) to sources with a specific Label. Source Admins can create new sources when the "All sources in Workspace including future sources" option is selected. |
| Function Admin | Function admins can create, edit and delete access to assigned function(s). When you assign a user the Functions Admin role, you can grant them access to either *all current and future* functions, or to a *specific list* of functions. |
| Function Read-only | The Function read-only role grants users the ability to read an assigned function(s). When you assign a user the Functions Read-only role, you can grant them access to either *all current and future* functions, or to a *specific list* of functions. |
## Business tier roles
The following roles are only available to Segment Business Tier accounts.
#### End User Privacy admin
* Edit access to [End User Privacy Settings](/docs/segment/privacy/user-deletion-and-suppression). Includes access to Data Privacy Agreement, and user suppression and deletion workflows.
* **Scope:** Grants access to only End User Privacy Settings in the App.
#### Identity admin
* Edit access to Identity settings in Unify.
* **Scope:** Grants access to *all* Identity settings.
#### Source read-only
* Read access to assigned source(s), source settings, connected streaming destinations, schema, transformations, and live data in the debugger. Reverse ETL sources are also included.
* **Scope:** Grants access to either: all current and future Sources, or only specific Sources, or Sources with a specific Label (BT only).
#### Source admin
* Edit access to assigned source(s), source settings, connected streaming destinations, schema, transformations, the source's [write key](/docs/segment/connections/find-writekey/) and live data in the debugger. Reverse ETL sources are also included.
* **Scope:** Grants access to either: all current and future Sources, or only specific Sources, or Sources with a specific Label (BT only).
#### Unify and Engage admin
* Edit access to Unify settings and if purchased, Engage Audiences, Traits, Journeys, Content, and settings.
* **Scope:** Grants access to either: all current and future Spaces, or a specific list of Spaces, or Spaces with a specific Label (BT only).
#### Unify and Engage read-only
* Read-only access to Unify settings and if purchased, Engage audiences, traits, journeys, and content. Cannot download PII or edit settings in Unify or Engage.
* **Scope:** Grants access to either: all current and future Spaces, or a specific list of Spaces, or Spaces with a specific Label (BT only).
#### Unify read-only, Engage user
* Read-only access to Unify settings and if purchased, edit access to Engage audiences, traits, journeys, and content. Cannot download PII or edit settings in Unify or Engage.
* **Scope:** Grants access to either: all current and future Spaces, or a specific list of Spaces, or Spaces with a specific Label (BT only).
#### Tracking Plan admin
* Edit access to all Tracking Plans in Protocols.
* **Scope:** Grants access to *all* Tracking Plans.
#### Tracking Plan read-only
* Read access to all Tracking Plans in Protocols.
* **Scope:** Grants access to *all* Tracking Plans.
#### Warehouse destination admin
* Edit access to warehouse destinations and warehouse destination settings. *(For example, Redshift, Postgres, BigQuery)*
* **Scope:** Grants access to *all* warehouses.
#### Warehouse destination read-only
* Read-only access warehouse destination and warehouse destination settings. *(For example, Redshift, Postgres, BigQuery)*
* **Scope:** Grants access to *all* warehouses.
#### Entities admin
Full edit and view access to all entity models and connection details.
#### Entities read-only
Read-only access, with the ability to view entity models.
#### Observability admin
* Admin access to all failiure log collection data, including the ability to enable or disable failure log collection.
* **Scope:** Grants access to *all* failure log collection data, including collections that contain PII data.
#### Observability read-only
* Read-only access to failure log collection data.
* **Scope:** Grants access to *all* failure collection data, including collections that contain PII data.
## PII access
The Segment App doesn't show detected Personally Identifiable Information (PII) to workspace members if the information matches specific expected formats for PII. When PII Access turns *off*, detected PII is masked based on [red or yellow default matchers](/docs/segment/privacy/portal/#default-pii-matchers) and any [custom matchers](/docs/segment/privacy/portal/#custom-pii-matchers) defined in the Privacy Portal.
Workspace Owners can grant specific individuals or groups access to PII from their Access Management settings. PII Access only applies to the resources a user or user group has access to; it doesn't expand a user's access beyond the original scope. All Workspace Owners have PII access by default.
For example, users with PII Access and Source Admin/Read-Only permissions can view any PII present in the Source Debugger. However, users with the PII Access role don't have Privacy Portal access: only users with the Workspace Owner role can access the Privacy Portal.
> \[!WARNING]
>
> You must grant PII Access when assigning the [Observability admin](#observability-admin) and [Observability read-only](#observability-read-only) roles.
## Roles for managing Engage destinations
When managing destination connections in an Engage space, you may require additional permissions.
* **Connecting or disconnecting destinations to Engage spaces:** To allow a user to connect or disconnect destination instances to your Engage space, grant `Unify and Engage Admin` access for the specific Engage space, and `Source Admin` access for the source(s) linked to that Engage space, named `Engage (space name)`.
* **Managing connections to Engage features (Computed Traits/Audiences/Journeys)**: To allow a user to attach or detach a destination in your Engage space to specific Engage features like Audiences or Journeys, grant these users `Unify and Engage Admin` access on the selected Engage space. The `Source Admin` role is not necessary for this action.
## Roles for connecting resources
To connect two resource instances, you must have access to both. You can either grant this access to all resources, or to the specific resources you want to connect.
**To connect a source to warehouse** you must have `Source Admin` and `Warehouse Admin` access for the source and the warehouse.
**To connect source to tracking plan** requires `Source Admin` and `Tracking Plan Admin` access for the source and the tracking plan.
## Roles for Protocols transformations
To **view** transformations, you need `Source Read-only`, either for all Sources or the specific Sources using Protocols.
To **create or edit** transformations you must have either `Source Admin` for all Sources, or for the specific Sources used with Protocols.
## Roles for Privacy Portal
The Privacy Portal is only accessible by `Workspace owners`. To **view, create or edit** any section of the Privacy Portal, you need to have the `Workspace Owner` role.