# User Roles Each of the new API users should obtain a role to define access restrictions for direct API connections. Set the role in the `user_type` field when you create a new user. * `ADMIN` is a system administrator, who has unlimited access to all system objects, but can't change the analyses' statuses; * `OPERATOR` is a system operator, who can view all system objects and choose the analysis result via the **Make Decision** button (usually needed if the [status](https://doc.ozforensics.com/oz-knowledge/guides/developer-guide/api/oz-api/statuses-in-api) is `OPERATOR_REQUIRED`); * `CLIENT` is a regular consumer account, who can upload media files, process analyses, view results in personal folders, generate reports for analyses. * `can_start_analysis_biometry` – an additional flag to allow access to [BIOMETRY](https://doc.ozforensics.com/oz-knowledge/guides/developer-guide/api/oz-api/basic-scenarios/biometry) analyses (enabled by default); * `can_start_analysis_quality` – an additional flag to allow access to [LIVENESS](https://doc.ozforensics.com/oz-knowledge/guides/developer-guide/api/oz-api/basic-scenarios/liveness) (QUALITY) analyses (enabled by default); * `can_start_analysis_collection` – an additional flag to allow access to [BLACK LIST](https://doc.ozforensics.com/oz-knowledge/guides/developer-guide/api/oz-api/basic-scenarios/collection) analyses (enabled by default). * `CLIENT ADMIN` is a company administrator that can manage their company account and users within it. Additionally, `CLIENT ADMIN` can view and edit data of all users within their company, delete files in folders, add or delete report templates with or without attachments, the reports themselves and single analyses, check statistics, add new blacklist collections. * `CLIENT OPERATOR` is similar to `OPERATOR` within their company. * `CLIENT SERVICE` is a service user account for automatic connection purposes. Authentication with this user creates a long-live access token (5 years by default). The token lifetime for regular uses is 15 minutes by default (parameterized) and, also by default, the lifetime of a token is extended with each request (parameterized).
For API versions below 6.0 For API 5.3 and below, to create a CLIENT user with admin or service rights, you require to set the corresponding flags to true: * `is_admin` – if set, the user obtains access to other users' data within this admin's company. * `is_service` is a flag that marks the user account as a service accountfor automatic connection purposes. Authentication with this user creates a long-live access token (5 years by default). The token lifetime for regular uses is 15 minutes by default (parameterized) and, also by default, the lifetime of a token is extended with each request (parameterized).
Here's the detailed information on access levels. #### Company

CreateReadUpdateDelete
ADMIN++++
OPERATOR-+--
CLIENT-their company data--
CLIENT SERVICE-their company data--
CLIENT OPERATOR-their company data--
CLIENT ADMIN-their company datatheir company datatheir company data
#### Folder

CreateReadUpdateDelete
ADMIN++++
OPERATOR+++-
CLIENTtheir folderstheir folderstheir folders-
CLIENT SERVICEwithin their companywithin their companywithin their company-
CLIENT OPERATORwithin their companywithin their companywithin their company-
CLIENT ADMINwithin their companywithin their companywithin their companywithin their company
#### Report template

CreateReadUpdateDelete
ADMIN++++
OPERATOR+++-
CLIENT-within their company--
CLIENT SERVICE-within their company--
CLIENT OPERATORwithin their companywithin their companywithin their company-
CLIENT ADMINwithin their companywithin their companywithin their companywithin their company
#### Report template attachments

CreateReadDelete
ADMIN+++
OPERATOR++-
CLIENT-within their company-
CLIENT SERVICE-within their company-
CLIENT OPERATORwithin their companywithin their company-
CLIENT ADMINwithin their companywithin their companywithin their company
#### Report

CreateReadDelete
ADMIN+++
OPERATOR++-
CLIENTin their foldersin their folders-
CLIENT SERVICEwithin their companywithin their company-
CLIENT OPERATORwithin their companywithin their company-
CLIENT ADMINwithin their companywithin their companywithin their company
#### Analysis

CreateReadUpdateDelete
ADMIN++++
OPERATOR+++-
CLIENTin their foldersin their folders--
CLIENT SERVICEwithin their companywithin their companywithin their company-
CLIENT OPERATORwithin their companywithin their companywithin their company-
CLIENT ADMINwithin their companywithin their companywithin their companywithin their company
#### Collection

CreateReadUpdateDelete
ADMIN++++
OPERATOR-+--
CLIENT-within their company--
CLIENT SERVICEwithin their companywithin their company--
CLIENT OPERATOR-within their company--
CLIENT ADMINwithin their companywithin their companywithin their companywithin their company
#### Person

CreateReadDelete
ADMIN+++
OPERATOR-+-
CLIENT-within their company-
CLIENT SERVICEwithin their companywithin their company-
CLIENT OPERATOR-within their company-
CLIENT ADMINwithin their companywithin their companywithin their company
#### Person image

CreateReadDelete
ADMIN+++
OPERATOR-+-
CLIENT-within their company-
CLIENT SERVICE-within their company-
CLIENT OPERATOR-within their company-
CLIENT ADMINwithin their companywithin their companywithin their company
#### User

CreateReadUpdateDelete
ADMIN++++
OPERATOR-+their data-
CLIENT-their datatheir data-
CLIENT SERVICE-within their companytheir data-
CLIENT OPERATOR-within their companytheir data-
CLIENT ADMINwithin their companywithin their companywithin their companywithin their company