# Roles > Auditforge can manage different user account roles to access different kind of data with some level of granularity
> There are 2 builtins roles: user and admin. But additional custom roles can easily be added. ## List of permissions Here is the list of available permissions to access data: | Audits | Vulnerabilities | Data | Custom Data | Settings | Classify | | :---------------: | :--------------------------: | :--------------: | :-----------------------------: | :------------------: | :--------: | | audits:create | vulnerabilities:create | users:create | languages:create | settings:read | classify:all | | audits:read | vulnerabilities:read | users:read | languages:read | settings:read-public | | | audits:update | vulnerabilities:update | users:update | languages:update | settings:update | | | audits:delete | vulnerabilities:delete | users:delete | languages:delete | | | | audits:read-all | vulnerability-updates:create | clients:create | audit-types:create | | | | audits:update-all | | clients:read | audit-types:read | | | | audits:delete-all | | clients:update | audit-types:update | | | | audits:review | | clients:delete | audit-types:delete | | | | audits:review-all | | companies:create | vulnerability-types:create | | | | | | companies:read | vulnerability-types:read | | | | | | companies:update | vulnerability-types:update | | | | | | companies:delete | vulnerability-types:delete | | | | | | templates:create | vulnerability-categories:create | | | | | | templates:read | vulnerability-categories:read | | | | | | templates:update | vulnerability-categories:update | | | | | | templates:delete | vulnerability-categories:delete | | | | | | roles:read | custom-fields:create | | | | | | | custom-fields:read | | | | | | | custom-fields:update | | | | | | | custom-fields:delete | | | | | | | sections:create | | | | | | | sections:read | | | | | | | sections:update | | | | | | | sections:delete | | | ## Built-In Roles ### user This role has following permissions: - audits:create, audits:read, audits:update, audits:delete - vulnerabilities:read, vulnerability-updates:create - users:read, roles:read - clients:create, clients:read, clients:update, clients:delete - companies:create, companies:read, companies:update, companies:delete - templates:read - languages:read, audit-types:read, vulnerability-types:read, vulnerability-categories:read, sections:read, custom-fields:read - settings:read-public - classify:all ### admin This role has full permissions access ## Create additional Roles Custom roles can be defined in `backend/src/config/roles.json` The format is: ``` role_name: { allows: [], // Array of allowed permissions to access or use '*' for all (admin) inherits: [] // Array of inherited users permissions } ``` A default custom role is already defined as a `report` role for example: ``` "report": { "inherits": ["user"], "allows": [ "audits:read-all" ] } ``` This role inherits all `user` permissions but since `user` can only access and modify its own Audits, we add the `audits:read-all` permission to `report` to access all Audits. To update and delete all Audits additional `audits:update-all` and `audits:delete-all` would be required. To be able to properly use the review feature of the application, a reviewer role should be added. This reviewer should have the `audits:review` or `audits:review-all` permissions to be able to review reports. A reviewer with only the `audits:review` permission can only review the reports on which they are assigned. The role could look like the following: ``` "reviewer": { "inherits": ["user"], "allows": [ "audits:review" ] } ``` A reviewer with the `audits:review-all` permission should also have the `audits:read-all` permission to be able to take full advantage of the first one. He could look like the following: ``` "reviewer": { "inherits": ["user"], "allows": [ "audits:review-all", "audits:read-all" ] } ``` Keep in mind that these two roles inherit their permissions from the `user` role, which means that they can also create their own audits. A reviewer cannot review an audit for which he is the creator or a collaborator.