> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# User roles
> User roles make sure that C1 users have the correct permissions — and only those permissions — needed to perform their assigned tasks.
## Default user roles
The person who initially sets C1 up for your company is given the **Super Administrator** role. After that, all users who sign into C1 for the first time are automatically given the **Basic User** role. Read more about these and the other available user roles below.
You can keep these roles as-is, or assign new roles depending on what each user needs to get done. Users can have more than one role, and a user is granted all the permissions of every role they're assigned.
## Assign a new user role to a user
You can change any user's role assignment on the **Users** page. Users can have more than one role, and a user is granted all the permissions of every role they're assigned.
This task requires the **Super Administrator** role in C1.
Navigate to **Directory** > **Users**.
Locate the name of the user whose role you want to change.
From the **...** (more actions) menu, select **Change role**.
Select one or more user roles to assign to the user.
Click **Save**.
## End-user user roles
C1 has two user roles tailored to end users and scoped to the work they do.
### Basic User
Users with this role can:
* View the C1 home page
* Complete assigned access review tasks
* Request personal access to apps and resources
* (Managers only) request access to apps and resources for direct reports
* Approve/deny assigned access request tasks
* Complete assigned provisioning/deprovisioning tasks
* Create secrets, view and revoke their own secrets
### Access Request Helpdesk
Users with this role can:
* Do everything listed in the **Basic User** role
* Request access to apps and resources for any user
* Create revocation requests for any user
## Administrator user roles
Users with an administrator-level user role can also access the **Admin** section of C1.
| | Access Request Admin | Application Admin | Campaign Admin | Connector Admin | Read-Only Super Admin | Super Admin |
| :--------------- | :------------------- | :--------------------- | :--------------------- | :------------------- | :-------------------- | :------------------- |
| Dashboard | View | View | View | View | View | View |
| Explore | | | | | View | View |
| Campaigns | | | View, create, manage\* | | View | View, create, manage |
| Applications | | View, create, manage\* | | | View | View, create, manage |
| Access conflicts | | | | | View | View, create, manage |
| Access profiles | View, create, manage | | | | View | View, create, manage |
| Connectors | | View, manage\* | | View, create, manage | View | View, create, manage |
| Automations | | View, create, manage\* | | | | View, create, manage |
| Groups | | | | | View | View, create, manage |
| Policies | | | | | View | View, create, manage |
| Task log | | | | | View | View, manage |
| Users | | | | | View | View, manage |
| Settings | | | | | View | View, create, manage |
\*See the **Application Admin** and **Campaign Admin** sections for details on which objects users with these roles can view, create, and manage.
### Access Request Administrator
Users with this role can:
* Do everything listed in the **Basic User** role
* Request access to apps and resources for any user
* Create and manage access profiles
* Manage access profile enrollment, including manually enrolling users and setting membership controls
### Application Administrator
Users with this role can:
* Do everything listed in the **Basic User** role
* View and manage the applications that they own
* Set the [standard audience](/product/admin/access-requests#set-the-standard-audience-for-an-app-and-select-requestable-entitlements) on applications that they own
* Create, view, and manage app-specific automations on applications that they own
* View and add request forms on applications that they own
* Create new applications
* Create and download application reports
* View and manage the connectors that they own
* View and manage connectors that are ownerless and associated with an application the user owns
### Campaign Administrator
Users with this role can:
* Do everything listed in the **Basic User** role
* View and manage the campaigns that they own
* Create new campaigns
* Create and download campaign reports
### Connector Administrator
Users with this role can:
* Do everything listed in the **Basic User** role
* View all connectors
* Create and manage connectors
### Read-Only Administrator
This is a special role, intended for auditors or other individuals who need visibility into C1 without the ability to make changes.
Users with this role can:
* View C1 assets:
* Campaigns
* Applications
* Conflict monitors
* Access profiles
* Connectors
* Groups
* Policies
* View task log
* View users
* View and work with access explorer and access graph
* Create and download reports
Users assigned *only* this role cannot complete tasks, request access, or perform the other functions included in the **Basic User** user role.
### Super Administrator
Users with this role can:
* Do everything listed in the **Basic User** role
* Request access to apps and resources for any user
* View, create, and manage all C1 assets:
* Campaigns
* Applications
* Conflict monitors
* Access profiles
* Connectors
* Automations
* Groups
* Policies
* Promote unmanaged apps to managed
* View and manage tasks, reassign any task (when doing so is allowed by the task's governing policy)
* View and manage users, including changing user role assignments
* View and work with access explorer and access graph
* Create and download reports
* View, create, and manage request forms
* View, create, and manage all C1 settings
* View all tenant secret metadata (not content), revoke any secret, access secret audit logs