# Roles

Roles are [organization](https://docs.commercelayer.io/provisioning/api-reference/organizations)-specific and can be assigned to a [membership](https://docs.commercelayer.io/provisioning/api-reference/memberships) (to grant a specific [user](https://docs.commercelayer.io/provisioning/api-reference/user) a set of [permissions](https://docs.commercelayer.io/provisioning/api-reference/permissions)) or to an [integration](https://docs.commercelayer.io/provisioning/api_credentials#integration) API credential.

Roles can be of three types (identified by the `kind` attribute):

* `read_only` — to perform `GET` requests on any [Core API](https://app.gitbook.com/o/-Lfu_B3DKew-kvoEWzTk/s/RWJeylueWkzLadK710XZ/) single resource or list of resources).
* `admin` — to perform any available CRUD operation on any Core API resource.
* `custom` — to grant a different set of permissions on multiple resources (**available for Enterprise plans only**).

## Custom roles

While the permission for the `read_only` and `admin` roles are set by default and assigned at runtime by the Core API, [Enterprise](https://commercelayer.io/pricing) customers can define `custom` roles [specifying custom permissions](https://docs.commercelayer.io/provisioning/api-reference/permissions/create) on CRUD actions at the single resource level so as to leverage a granular control, tailored to their needs.

{% hint style="info" %}
Existing roles cannot be deleted using the Provisioning API. A `read_only` and an `admin` roles are automatically created for your organization, so the `POST` method on the `/api/roles` endpoint will be successful only for Enterprise customers: in that case, all you need to do to [create a custom role](https://docs.commercelayer.io/provisioning/api-reference/roles/create) is to give it a name, the related `kind` will be automatically set to `custom`.
{% endhint %}