# Roles and Permissions

## Login Roles and Permissions

Dropzone AI users are assigned a role that determines what access they have to the Dropzone environment.

The following table describes the roles and permissions available to Dropzone AI users:

| Role Name                | Permissions                                                                                                                                   |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
| **Admin**                | Full write access; create and update integration configuration; create response automation; manage users; create and update custom strategies |
| **Member**               | Minimal write access; create context memory, add investigation feedback; ask questions of the AI                                              |
| **Restricted Read Only** | Read-only access; view investigations and dashboards; view custom strategies; no ad-hoc chat                                                  |

## Role Source

Dropzone AI users get their role from one of two places:

* If logging in via a **SAML/SSO provider**, Dropzone uses the role provided by your IDP (Identity Provider).
* If logging in via **username/password**, **federated Google**, or **Microsoft** buttons, Dropzone uses the role set in **Team Admin**.

{% hint style="info" %}
Most Dropzone customers who enable SAML/SSO will disable federated Google/Microsoft login and username/password authentication. This is the preferred configuration, as it lets your IDP (Identity Provider) stay in charge of what access an individual has.
{% endhint %}

{% hint style="warning" %}
Role changes made via **Team Admin** are overridden by SAML settings when a user logs in.
{% endhint %}

## Managing Users via Team Admin

The following describes how to manage users via the Team Admin interface.

{% hint style="info" %}
If you are using SAML/SSO, see the instructions for setting up your specific SAML system (for example, Google Workspace or Okta). When using SAML/SSO, you do not need to perform any local Team Admin user management.
{% endhint %}

* Navigate to your Dropzone AI tenant home page (for example, `https://mycompany.dropzone.app`).
* Click your person icon on the far right and select **Team Admin**.
* From the Team Admin page, you can see the users who have accounts in this Dropzone environment.

{% hint style="warning" %}
If you use SAML/SSO, this list may be incomplete. It only shows users you’ve explicitly invited via Team Admin and those who have logged into Dropzone via SAML. Your IDP may allow additional users who have not logged in yet, and they will not appear here.
{% endhint %}

## Adding a User

To add a user:

* From the Team Admin page, click the **Add User** button.
* Enter the name and email address of the user you want to invite.
* Select the role from the dropdown.
* Click **Save** to invite the user.

## First-Time Sign-In

Once you've invited a user via the Team Admin page, the user can log in.\
Which authentication methods you've enabled determines how the user signs in:

* If you allow **password authentication**, the user will receive an email with a one-time link to accept the invite and set up a password.
* If you do **not** allow password authentication, the user must log in using a federated **Google** or **Microsoft** button.

## Activating / Deactivating Users

Users appear in one of two states:

* **Active**
  * Able to log in
  * Click **Deactivate** to disable login access
* **Deactivated**
  * Not able to log in
  * Click **Reactivate** to allow login again

## Deleting Users

Dropzone does not currently allow you to delete users. Instead, users can be **deactivated**.

Keeping the user in the system ensures their previous actions remain properly accounted for in audit logs and historical records.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dropzone.ai/dropzone-101/getting-started/roles-and-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.