# User Roles
Each of the new API users should obtain a role to define access restrictions for direct API connections. Set the role in the `user_type` field when you create a new user.
* `ADMIN` is a system administrator, who has unlimited access to all system objects, but can't change the analyses' statuses;
* `OPERATOR` is a system operator, who can view all system objects and choose the analysis result via the **Make Decision** button (usually needed if the [status](/oz-knowledge/guides/developer-guide/api/oz-api/statuses-in-api.md) is `OPERATOR_REQUIRED`);
* `CLIENT` is a regular consumer account, who can upload media files, process analyses, view results in personal folders, generate reports for analyses.
* `can_start_analysis_biometry` – an additional flag to allow access to [BIOMETRY](/oz-knowledge/guides/developer-guide/api/oz-api/basic-scenarios/biometry.md) analyses (enabled by default);
* `can_start_analysis_quality` – an additional flag to allow access to [LIVENESS](/oz-knowledge/guides/developer-guide/api/oz-api/basic-scenarios/liveness.md) (QUALITY) analyses (enabled by default);
* `can_start_analysis_collection` – an additional flag to allow access to [BLACK LIST](/oz-knowledge/guides/developer-guide/api/oz-api/basic-scenarios/collection.md) analyses (enabled by default).
* `CLIENT ADMIN` is a company administrator that can manage their company account and users within it. Additionally, `CLIENT ADMIN` can view and edit data of all users within their company, delete files in folders, add or delete report templates with or without attachments, the reports themselves and single analyses, check statistics, add new blacklist collections.
* `CLIENT OPERATOR` is similar to `OPERATOR` within their company.
* `CLIENT SERVICE` is a service user account for automatic connection purposes. Authentication with this user creates a long-live access token (5 years by default). The token lifetime for regular uses is 15 minutes by default (parameterized) and, also by default, the lifetime of a token is extended with each request (parameterized).
For API versions below 6.0
For API 5.3 and below, to create a CLIENT user with admin or service rights, you require to set the corresponding flags to true:
* `is_admin` – if set, the user obtains access to other users' data within this admin's company.
* `is_service` is a flag that marks the user account as a service accountfor automatic connection purposes. Authentication with this user creates a long-live access token (5 years by default). The token lifetime for regular uses is 15 minutes by default (parameterized) and, also by default, the lifetime of a token is extended with each request (parameterized).
Here's the detailed information on access levels.
#### Company
| | | | |
|---|
| Create | Read | Update | Delete |
| ADMIN | + | + | + | + |
| OPERATOR | - | + | - | - |
| CLIENT | - | their company data | - | - |
| CLIENT SERVICE | - | their company data | - | - |
| CLIENT OPERATOR | - | their company data | - | - |
| CLIENT ADMIN | - | their company data | their company data | their company data |
#### Folder
| | | | |
|---|
| Create | Read | Update | Delete |
| ADMIN | + | + | + | + |
| OPERATOR | + | + | + | - |
| CLIENT | their folders | their folders | their folders | - |
| CLIENT SERVICE | within their company | within their company | within their company | - |
| CLIENT OPERATOR | within their company | within their company | within their company | - |
| CLIENT ADMIN | within their company | within their company | within their company | within their company |
#### Report template
| | | | |
|---|
| Create | Read | Update | Delete |
| ADMIN | + | + | + | + |
| OPERATOR | + | + | + | - |
| CLIENT | - | within their company | - | - |
| CLIENT SERVICE | - | within their company | - | - |
| CLIENT OPERATOR | within their company | within their company | within their company | - |
| CLIENT ADMIN | within their company | within their company | within their company | within their company |
#### Report template attachments
| | | |
|---|
| Create | Read | Delete |
| ADMIN | + | + | + |
| OPERATOR | + | + | - |
| CLIENT | - | within their company | - |
| CLIENT SERVICE | - | within their company | - |
| CLIENT OPERATOR | within their company | within their company | - |
| CLIENT ADMIN | within their company | within their company | within their company |
#### Report
| | | |
|---|
| Create | Read | Delete |
| ADMIN | + | + | + |
| OPERATOR | + | + | - |
| CLIENT | in their folders | in their folders | - |
| CLIENT SERVICE | within their company | within their company | - |
| CLIENT OPERATOR | within their company | within their company | - |
| CLIENT ADMIN | within their company | within their company | within their company |
#### Analysis
| | | | |
|---|
| Create | Read | Update | Delete |
| ADMIN | + | + | + | + |
| OPERATOR | + | + | + | - |
| CLIENT | in their folders | in their folders | - | - |
| CLIENT SERVICE | within their company | within their company | within their company | - |
| CLIENT OPERATOR | within their company | within their company | within their company | - |
| CLIENT ADMIN | within their company | within their company | within their company | within their company |
#### Collection
| | | | |
|---|
| Create | Read | Update | Delete |
| ADMIN | + | + | + | + |
| OPERATOR | - | + | - | - |
| CLIENT | - | within their company | - | - |
| CLIENT SERVICE | within their company | within their company | - | - |
| CLIENT OPERATOR | - | within their company | - | - |
| CLIENT ADMIN | within their company | within their company | within their company | within their company |
#### Person
| | | |
|---|
| Create | Read | Delete |
| ADMIN | + | + | + |
| OPERATOR | - | + | - |
| CLIENT | - | within their company | - |
| CLIENT SERVICE | within their company | within their company | - |
| CLIENT OPERATOR | - | within their company | - |
| CLIENT ADMIN | within their company | within their company | within their company |
#### Person image
| | | |
|---|
| Create | Read | Delete |
| ADMIN | + | + | + |
| OPERATOR | - | + | - |
| CLIENT | - | within their company | - |
| CLIENT SERVICE | - | within their company | - |
| CLIENT OPERATOR | - | within their company | - |
| CLIENT ADMIN | within their company | within their company | within their company |
#### User
| | | | |
|---|
| Create | Read | Update | Delete |
| ADMIN | + | + | + | + |
| OPERATOR | - | + | their data | - |
| CLIENT | - | their data | their data | - |
| CLIENT SERVICE | - | within their company | their data | - |
| CLIENT OPERATOR | - | within their company | their data | - |
| CLIENT ADMIN | within their company | within their company | within their company | within their company |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://doc.ozforensics.com/oz-knowledge/guides/developer-guide/api/oz-api/user-roles.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.