> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User roles and rights

Every user in a project has a role that controls what they can see and do. There are five roles across two scopes: one account-level role and four project-level roles.

## Role comparison

| Capability                     | Client Administrator | Project Administrator | Project User | Internal Network Only User | Project Observer |
| ------------------------------ | -------------------- | --------------------- | ------------ | -------------------------- | ---------------- |
| Scope                          | Account              | Project               | Project      | Project                    | Project          |
| Manage projects                | ✓                    |                       |              |                            |                  |
| Invite and manage users        | ✓                    | ✓                     |              |                            |                  |
| Reservation cost report        | ✓                    |                       |              |                            |                  |
| Cost reports and audit logs    | All projects         | This project          | This project | This project               | This project     |
| Read account quotas            | ✓                    | ✓                     | ✓            | ✓                          | ✓                |
| Create, edit, delete resources | ✓                    | ✓                     | ✓            | Restricted                 |                  |
| Read resources                 | ✓                    | ✓                     | ✓            | ✓                          | ✓                |
| Public network access          | ✓                    | ✓                     | ✓            |                            |                  |

## Client Administrator

**Scope:** Account

The only account-level role. A Client Administrator can manage all projects across the account and invite users to any project, assigning roles up to and including Client Administrator. They have full access to all Cloud resources in every project, all cost reports (including the reservation cost report), audit logs, and resource reservations.

## Project-level roles

The following roles are assigned per project. A user can have different roles in different projects.

### Project Administrator

**Scope:** Project

Manages a project and its users. Can invite users and assign roles up to Project Administrator level. Has full read/write access to all Cloud resources in the project, plus cost reports and audit logs for that project.

### Project User

**Scope:** Project

Works within a project without managing user access. Resource permissions are identical to Project Administrator — the only difference is that Project User cannot invite or manage other users.

### Project Internal Network Only User

**Scope:** Project

Designed for isolated private environments where access to the public internet must be prevented. This role cannot:

* Create resources with a public IP address (Virtual Machines, Bare Metal, GPU Cloud, Load Balancers, Managed Kubernetes)
* Use floating IP addresses
* Attach a public IP to any existing resource

Within these restrictions, the role has read/write access to Virtual Machines, Bare Metal, Volumes, Snapshots, File Shares, GPU Cloud, Function as a Service, Managed Logging, Images, SSH Keys, Networks, Firewalls, and Load Balancers. Managed Kubernetes and Container as a Service are read-only.

### Project Observer

**Scope:** Project

Read-only access to the project. Can view all Cloud resources, cost reports, and audit logs but cannot create, edit, or delete anything.
