# Permissions

To allow a seamless collaborative workflow, [Enterprise](https://commercelayer.io/pricing) users can define [custom roles](https://docs.commercelayer.io/provisioning/roles#custom-roles) and assign permissions to each role created. This allows different [members](https://docs.commercelayer.io/provisioning/api-reference/memberships) to have different privileges or different [integration](https://docs.commercelayer.io/provisioning/api_credentials#integration) API credentials to be granted different permissions on CRUD operations at the single resource level.

Each permission is role and subject-specific, meaning that to [create a new permission](https://docs.commercelayer.io/provisioning/api-reference/permissions/create) you need to associate it with a role and specify the single resource involved. For that resource you can define the allowed actions by setting the 4 CRUD boolean attributes (which can be changed at any time):

* `can_read`
* `can_create`
* `can_update`
* `can_delete`

If you want to create a set of permissions involving different resources, you need to create a permission for each resource, associated with the same role.

When fetching a permission, you can check if additional restrictions have been applied by inspecting the `restrictions` object.

{% hint style="info" %}
Existing permissions cannot be deleted using the Provisioning API.
{% endhint %}