# Predefined Organization Teams and their Corresponding Roles
The following teams are created and granted pre-defined roles when an organization is created.
| Team | Role | Description | Permissions |
| -------------------------------------- | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `Organization Owners` | `Owner` | The initial user(s) created when the organization is created are added to this team. New users may be added to this team as part of the invitation to join the organization. Existing users in an organization are added to this group when RBAC is enabled for an existing organization. The Owner role granted to the Organization Owners team is special in that it cannot be revoked. This is to prevent owners from locking themselves out of their organization. | - Approve Access Request
- Configure Billing
- Configure Identity Providers
- Configure SCIM
- Control Access
- Create Team
- Create Workspace Group
- Delete
- Edit Organization
- Invite Users
- Manage API Keys
- Monitor
- Operate
- View Billing
|
| `Organization Billing Administrators` | `Billing Administrator` | This team can access usage information and invoices as well as configure payment information. Since they can see billing information for allworkspaces, they can see the names of allworkspacegroups.It is initially empty, but new users may be added to this team as part of the invitation to join the organization. | - Configure Billing
- View Billing
|
| **`Organization User Administrators`** | `User Administrator` | This team is initially empty, but new users may be added to this team as part of the invitation to join the organization. | - Create Team
- Configure Identity Providers
- Configure SCIM
- Invite Users
|
| `Organization Operators` | `Operator` | This team is granted the Operator role for the organization and allworkspacegroups in the organization. The members are responsible for managing all admin operations on the resources they have privileges on. It is initially empty, but new users may be added to this team as part of the invitation to join the organization. | |
| `Organization Writers` | `Writer` | This team is granted the Writer role for the organization and allworkspacegroups in the organization. The members have the privilege to both read and write to theworkspacegroups in the organization. It is initially empty, but new users may be added to this team as part of the invitation to join the organization. | - Read and write permissions on all databases
|
| `Organization Readers` | `Reader` | This team is granted the Reader role for the organization and allworkspacegroups in the organization. The members have the privilege to only read from anyworkspacegroups in the organization. It is initially empty, but new users may be added to this team as part of the invitation to join the organization. | - Read permission on all databases
|
| **`Organization Observers`** | `Observer` | This team is granted the view permissions for monitoring operations in theworkspaces andworkspacegroup of an organization. For example: they can open Grafana boards for eachworkspacegroup in the organization. This team is initially empty but new users may be added to this team as part of the invitation to join the organization. | |
| `Organization Members` | None | This team has the same name as the organization. This is the default team that contains all users with any access to the organization. All new users are automatically added to this team. Members of this team are granted no roles by default. | None |
## Predefined Role for Teams in an Organization
> **📝 Note**: Team Role is supported only in the Standard and Enterprise editions.
## Team Role
| Role | Description | Permissions |
| ------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| `Owner` | Owners are granted full access to the team including the ability to manage the team and its members. | - Control Access
- Delete Team
- Edit Team
- Manage Members
|
## Predefined Roles for Secrets in an Organization
> **📝 Note**: Secret roles are supported only in the Standard and Enterprise editions.
## Secret Roles
| Role | Description | Permissions |
| -------- | ------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
| `Owner` | Owners are granted full access to theSingleStoresecrets including the ability to create, operate, delete, and share the secret. | - Control Access
- Delete
- Operate
- View
|
| `Reader` | Readers are granted access to only view the secret. | |
***
Modified at: May 12, 2026
Source: [/cloud/security/administration/role-based-access-control-rbac-for-singlestore-helios/predefined-organization-teams-and-their-corresponding-roles/](https://docs.singlestore.com/cloud/security/administration/role-based-access-control-rbac-for-singlestore-helios/predefined-organization-teams-and-their-corresponding-roles/)
(An index of the documentation is available at /llms.txt)