> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omneo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Users and Permissions

> Creating and managing CX Manager users and their role-based permissions.

Omneo CX Manager uses a role-based permission system. Every user is assigned a role that controls what they can read, create, update, and delete within the platform.

## Roles

| Role          | Description                                                                                                         |
| ------------- | ------------------------------------------------------------------------------------------------------------------- |
| **Admin**     | Full read, write, update, and delete access to everything in CX Manager                                             |
| **Manager**   | Read, update, and delete access, cannot create new data or configurations. Can still create profiles in Clienteling |
| **Reporting** | Read-only access, suited to users who need to view data and generate reports                                        |
| **Machine**   | For integrations only, not for human users. Use this role when creating a user account to power an API integration  |

## Creating a user

1. In CX Manager, navigate to **Settings → Users**
2. Enter the user's name and email address
3. Assign a role
4. Set a password: passwords must be at least 32 characters

<Warning>
  Machine role accounts are for API integrations only. Never share Machine user credentials with human users. Store credentials securely.
</Warning>

## Machine users and API tokens

For programmatic access, prefer creating a Machine user and generating an API token scoped to that user. This gives you clear audit trails and the ability to revoke access without impacting other users.

See [API Tokens](/dev-guides/core-setup/api-tokens) for details on generating and managing tokens.

## Clienteling access

Users with the Manager role can log in to Clienteling and create profiles there, even though they cannot create records via CX Manager. If you want a staff user to have Clienteling access only (without CX Manager access), the Manager role is the appropriate choice.

<Note>Content needed: granular permission matrix per role, invite-by-email workflow, SSO/SAML configuration if supported.</Note>
