> ## Documentation Index > Fetch the complete documentation index at: https://docs.twenty.com/llms.txt > Use this file to discover all available pages before exploring further. # Permissions FAQ > Frequently asked questions about roles and permissions. ## Roles Twenty comes with an **Admin** and **Member** roles by default. You can create additional custom roles based on your team's needs (e.g., Sales Rep, Manager, Read-Only User). No, the Admin role cannot be deleted. There must always be at least one member assigned to the Admin role. Any workspace member assigned to that role will be automatically reassigned to the default role. Go to **Settings → Members → Roles**, find the **Default Role** option, and select which role new members should automatically receive when they join. No, each user can only have one role at a time. Create a custom role if you need a combination of permissions. ## Permissions * **Object permissions**: Control access to entire records (e.g., can see/edit/delete People records) * **Field permissions**: Control access to specific fields within an object (e.g., can see but not edit the Salary field) Field permissions allow more granular control over sensitive data. Permissions cascade from global to specific: 1. **All Objects** sets the baseline for all objects 2. **Object-Level Permissions** can override the global setting for specific objects 3. **Field-Level Permissions** can override the object setting for specific fields More specific settings always take precedence. For objects: * **See Records**: View records in lists and detail pages * **Edit Records**: Modify existing records * **Delete Records**: Soft-delete records (can be restored) * **Destroy Records**: Permanently delete records For fields: * **See Field**: View the field value * **Edit Field**: Modify the field value * **No Access**: Field is completely hidden Row-level permissions will be available on the **Organization** plan by Q1 2026. This allows you to restrict access to specific records based on criteria (e.g., only see your own opportunities). 1. Go to **Settings → Members → Roles** 2. Select the role 3. Navigate to the object containing the field 4. Set the field permission to **See Field** (without Edit Field) ## Settings & Actions You can control access to: * API key generation * Workspace preferences * Role assignment * Data model configuration * Security settings * Workflow management Use **Settings All Access** to grant full access, or enable specific permissions. You can control: * **Send Email**: Ability to send emails from Twenty * **Import CSV**: Ability to import data via CSV * **Export CSV**: Ability to export data to CSV Use **Application All Access** to grant all actions, or enable specific ones. ## SSO No, SSO is a Premium feature available on the **Organization** plan only. Twenty supports: * **SAML 2.0** (works with most enterprise identity providers) * **Google Workspace** * **Microsoft Entra ID** (formerly Azure AD) With JIT provisioning, user accounts are automatically created in Twenty when someone logs in via SSO for the first time. They're assigned the default role automatically. Yes, once SSO is configured, you can disable password login for SSO users to enforce authentication through your identity provider.