> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Important changes to roles and permissions

export const metl = "Matillion ETL";

export const m_runner = "Maia runner";

export const designer = "Designer";

export const maia_agents = "Maia AI Agents";

export const maia = "Maia";

We would like to inform you of some important changes to roles and permissions that we are implementing, primarily in {maia}. Please read them carefully, **as the permissions of your users will change.**

We will be adding account roles and making changes to the project and environment roles. These changes are designed to simplify the management of your account and support some exciting new features we will be launching in the next few months, such as the ability to create custom roles.

***

## Upcoming changes

* Control over an environment inheriting a default value.
* Changes to Account roles for all users.

### Completed changes

* New **Contributor** role for environments.
* Changes to the **Runner** (now called **Operator**) role for environments.
* Users with the **Contributor** role on a project can now create and modify project-level variables, but can't delete them.

For more information, read [Environment roles](/docs/administration/environment-roles).

***

## Account role changes

We are simplifying user management at the account level by migrating all existing users to one of the following new roles:

* **Super Admin**
* **Admin**
* **Billing Admin**
* **Member**

This change affects **all users** of both {metl} (when logging into Matillion Hub) and {maia}.

Once migrated, for accounts where {maia} is enabled, all users will be able to access {designer}, and it will no longer be possible to restrict access to {designer} at a user level.

If {maia_agents} are [enabled at the account level](/docs/administration/manage-accounts#create-a-new-account), then all users will be able to access {maia_agents}. The ability to control access to {maia_agents} at the user level will be restored with the launch of [Custom Roles](https://roadmap.matillion.com/p/custom-roles) in the coming months.

Users will be mapped as below:

* Any user with **Super Admin** → **Super Admin**.
* Any user with **Billing** → **Billing Admin**.
* A user with both **User Admin** *and* **Can create projects** → **Admin**.
* All other users → **Member**.

The permissions for each account role are as follows:

| Role          | Manage All Projects and Environments | Billing | User Management | Manage {m_runner}s | Create Projects |
| ------------- | ------------------------------------ | ------- | --------------- | ------------------ | --------------- |
| Super Admin   | Yes                                  | Yes     | Yes             | Yes                | Yes             |
| Billing Admin | No                                   | Yes     | Yes             | No                 | Yes             |
| Admin         | No                                   | No      | Yes             | Yes                | Yes             |
| Member        | No                                   | No      | No              | No                 | No              |

Users will be mapped according to their permissions at the time of the migration, so any changes made between now and then will affect the role each user is migrated to.

We'll confirm the exact date of this change closer to the time.

**Action required:**

Review the existing account permissions of your users and update them as above to avoid a loss of functionality.

<Note>
  Directory Integration users and API Credentials are not affected by the account role changes, as these already use the new roles.
</Note>

***

## Project role changes

Users with the **Contributor** role on a project will be able to create and modify project-level variables, but will not be able to delete them.

This change affects {maia} users only.

***

## Environment role changes

We are introducing a new **Contributor** role to environments that can:

* Modify environment-level overrides for project-level variables, secret definitions, and OAuths.
* See the environment role permission table below for an understanding of the **Contributor** roles' capabilities.

With the addition of the **Contributor** role, we will remove the following permissions from the **Operator** role:

* Sample pipelines
* Validate pipelines
* Run unpublished pipelines
* Schema view

The **Owner**, **Contributor**, and **Operator** roles will be able to run published pipelines.

The new permissions for environment roles are as follows:

| Capability                                                 | Owner | Contributor | Operator | Viewer |
| ---------------------------------------------------------- | ----- | ----------- | -------- | ------ |
| **Pipelines**                                              |       |             |          |        |
| Validate                                                   | ✅     | ✅           | ❌        | ✅      |
| Sample                                                     | ✅     | ✅           | ❌        | ✅      |
| Run unpublished pipelines                                  | ✅     | ✅           | ❌        | ❌      |
| View executions                                            | ✅     | ✅           | ✅        | ✅      |
| Cancel execution                                           | ✅     | ✅           | ✅        | ❌      |
| **Schemas**                                                |       |             |          |        |
| View                                                       | ✅     | ✅           | ❌        | ✅      |
| **Artifacts**                                              |       |             |          |        |
| Publish                                                    | ✅     | ✅           | ❌        | ❌      |
| Run published pipelines                                    | ✅     | ✅           | ✅        | ❌      |
| View                                                       | ✅     | ✅           | ✅        | ✅      |
| Promote                                                    | ✅     | ✅           | ❌        | ❌      |
| Delete                                                     | ✅     | ❌           | ❌        | ❌      |
| **Schedules**                                              |       |             |          |        |
| Create                                                     | ✅     | ✅           | ✅        | ❌      |
| View                                                       | ✅     | ✅           | ✅        | ✅      |
| Update                                                     | ✅     | ✅           | ✅        | ❌      |
| Delete                                                     | ✅     | ✅           | ✅        | ❌      |
| **Environment Overrides (Project variables, connections)** |       |             |          |        |
| Create                                                     | ✅     | ✅           | ❌        | ❌      |
| View                                                       | ✅     | ✅           | ✅        | ✅      |
| Update                                                     | ✅     | ✅           | ❌        | ❌      |
| Delete                                                     | ✅     | ✅           | ❌        | ❌      |
| **Lineage**                                                |       |             |          |        |
| View                                                       | ✅     | ✅           | ✅        | ✅      |

This change affects {maia} users only.

**Action required:**

Make sure that all users who need to edit or manage an environment configuration or project variable environment overrides are assigned the **Contributor** environment role. For more information, read [Environment roles](/docs/administration/environment-roles).

***

## Environment configuration change

We are introducing the ability to prevent an environment from inheriting default values in project-level variables, secret definitions, and OAuths. You will be able to set this when creating or editing an environment.

When an environment is set to not inherit project-level default values, it will instead always use the environment default override.

This change affects {maia} users only.

### Need support?

If you need support with these changes, please raise a [support ticket](https://support.matillion.com/s/).
