> ## Documentation Index
> Fetch the complete documentation index at: https://docs.devin.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Permissions & RBAC
> Permission reference for the Devin API
Every API endpoint is gated by a specific permission assigned to the calling service user's role. The required permission for each endpoint is documented on its individual API reference page. This page provides a summary of all permissions by scope.
**Base URLs:**
* `https://api.devin.ai/v3/organizations/*` — endpoints scoped to a single organization
* `https://api.devin.ai/v3/enterprise/*` — endpoints that require enterprise-level permissions
**Devin Enterprise** customers with a dedicated deployment should replace `api.devin.ai` with their custom API domain (e.g., `api.your-company.devinenterprise.com`). See the [Enterprise quick start](/api-reference/getting-started/enterprise-quickstart) for setup details.
Find your organization ID on the **Settings → Service Users** page.
Some enterprise endpoints operate on specific organizations using paths like
`/v3/enterprise/organizations/{org_id}/...` (for example, audit logs and tags).
Even though they include an `org_id` parameter, they require **enterprise-level** permissions.
## Enterprise permissions
| Permission | Controls |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------- |
| `ReadAccountMeta` | Self (granted to all service users by default) |
| `ManageEnterpriseSettings` | Audit logs, Organization tags |
| `ManageOrganizations` | Organizations CRUD, Organization group limits |
| `ManageAccountMembership` | Roles, Enterprise users, Enterprise IdP groups, Enterprise service user membership, Enterprise IdP group registration |
| `ManageAccountServiceUsers` | Service user provisioning (enterprise) |
| `ManageAccountKnowledge` | Knowledge notes (enterprise) |
| `ManageAccountPlaybooks` | Playbooks (enterprise) |
| `ManageGitIntegrations` | Git connections, Git permissions |
| `ManageBilling` | Consumption cycles, Daily consumption breakdowns |
| `ViewAccountMetrics` | Usage metrics (DAU/WAU/MAU, PRs, sessions, searches, active users), Queue status |
| `ViewEnterpriseInfraDetails` | Hypervisors |
| `ViewAccountSessions` | Sessions list and detail (enterprise, read-only) |
| `ManageAccountSessions` | Send messages to sessions (enterprise) |
## Organization permissions
| Permission | Controls |
| ------------------------ | -------------------------------------------------------------- |
| `ManageOrgSecrets` | Secrets CRUD |
| `ManageOrgKnowledge` | Knowledge notes (organization) |
| `ManageOrgPlaybooks` | Playbooks (organization) |
| `ManageOrgServiceUsers` | Service user provisioning (organization) |
| `ManageOrgSchedules` | Scheduled sessions |
| `ViewOrgSessions` | Sessions list and detail (organization, read-only) |
| `ManageOrgSessions` | Send messages, terminate, archive sessions |
| `UseDevinSessions` | Create sessions |
| `ImpersonateOrgSessions` | Create sessions on behalf of other users (`create_as_user_id`) |
## Permission inheritance
**Enterprise service users** authenticate with `/v3/enterprise/*` endpoints and can operate across all organizations. They are assigned enterprise-level roles and automatically inherit the corresponding org-level permissions in every organization (for example, `ViewAccountSessions` grants `ViewOrgSessions` in all orgs).
**Organization service users** are scoped to a single organization and authenticate with `/v3/organizations/{org_id}/*` endpoints only. They are assigned org-level roles.
## Creating service users
Service users are created through the Devin UI:
1. **Enterprise service users**: Enterprise settings → Service Users
2. **Organization service users**: Organization settings → Service Users
For setup instructions, see the [Teams quick start](/api-reference/getting-started/teams-quickstart) or [Enterprise quick start](/api-reference/getting-started/enterprise-quickstart).