# User roles and permissions

## Role overview <a href="#administration-columns" id="administration-columns"></a>

You can work with Medcrypt to assign and manage roles for each of your users. [Contact us](mailto:support@medcrypt.co) to add or modify user permissions.

* **Admin:** This role full access to everything in Guardian for your organization.
* **Reporter (Auditing):** This role has view-only access to everything in Guardian for your organization.
* **Limited:** This is a specialized role for third parties who need to provision devices but shouldn't have broader system access.

### Admin role <a href="#admin-role" id="admin-role"></a>

This role has full access to all products and vulnerabilities in the organization and is the only role that can:

* Manage users
* Implement Guardian:&#x20;
  * Download Guardian Library
  * View and export Root of Trust certificates (root and intermediate level)
* Manage device provisioning
  * Approve and reject PRs and complete device provisioning&#x20;
    * [Manual approval type](https://docs.medcrypt.com/manage-devices/manage-device-provisioning#manual-approval-type)
    * [Automatic approval type](https://docs.medcrypt.com/manage-devices/manage-device-provisioning#automatic-approval-type)
  * Export device provisioning report
* View and export root and intermediate certificates

### Reporter (Auditing) role

This role has view-only access to all systems in an organization.&#x20;

* View certificates:
  * View and export root and intermediate certificates
* View systems monitoring
* View device provisioning
  * Export device provisioning report

### Limited role

This is a special role for third parties who need to be able to provision devices at hospitals, but not view anything else. This could be a field engineer.

* Provision devices
  * Upload provision request (PR)
  * Download certified profile (CP)
  * View devices that they have personally provisioned
  * Export device provisioning report