> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# End-user access management

> Manage end-user roles, groups, and attributes for controlling access to published solutions at runtime.

<Info>
  **5.8.0+: assignment model changed.** Up to 5.7.0, a role assigned to a user or group at organization level granted access on every project that listed the role. Starting with 5.8.0, role assignment is **per-solution**: define roles and groups here at organization level, then assign them to users or groups from the **Share** modal on the Solutions page. End-user groups also moved from Keycloak to FlowX. See [Runtime authorization](./runtime-authorization) for the new model.
</Info>

## Overview

End-user access management lets organization admins control who can access published solutions at runtime. Unlike Designer users (who build processes and workflows), end users interact with the finished solutions through the container app.

Manage end users from **Organization Settings** → **Access Management**, where three sections handle runtime access:

* **End-Users**: Invite and manage users who access solutions
* **End-Users Roles**: Define roles that control what end users can access
* **End-Users Groups**: Organize users into groups with role assignments and custom attributes

***

## End-users

View and manage the list of end users in your organization. End users are separate from Designer users. They access published solutions but cannot modify processes or workflows.

To invite an end user:

1. Navigate to **Organization Settings** → **Access Management** → **End-Users**
2. Click **Add** to invite a new user
3. Enter the user's details

<Info>
  End users authenticate through the same Keycloak realm as the organization. SMTP must be configured in Keycloak for invitation emails to be sent.
</Info>

***

## End-users roles

Roles define what end users can access at runtime. Each role has a name and description. Roles are assigned to users through groups.

### Managing roles

<Steps>
  <Step title="Navigate to End-Users Roles">
    Go to **Organization Settings** → **Access Management** → **End-Users Roles**.
  </Step>

  <Step title="Create a role">
    Click **Add new**, enter a **Name** and optional **Description**, then click **Save**.
  </Step>

  <Step title="Assign roles to processes">
    In a project's version settings, assign which roles can access specific processes via the **Permissions** tab.
  </Step>
</Steps>

Roles can be edited or deleted from the roles list. Deleting a role removes it from all groups and process permissions where it was assigned.

***

## End-users groups

Groups organize end users and assign them roles and custom attributes. A group can have multiple roles and multiple key-value attributes.

### Managing groups

<Steps>
  <Step title="Navigate to End-Users Groups">
    Go to **Organization Settings** → **Access Management** → **End-Users Groups**.
  </Step>

  <Step title="Create a group">
    Click **Add new** and configure:

    | Field          | Description                                                              |
    | -------------- | ------------------------------------------------------------------------ |
    | **Name**       | Group name (alphanumeric, dashes, underscores, spaces)                   |
    | **Roles**      | Select one or more end-user roles to assign to all members of this group |
    | **Attributes** | Optional key-value pairs for custom metadata (e.g., department, region)  |
  </Step>

  <Step title="Add attributes (optional)">
    Click **Add attribute** to add custom key-value pairs. Each attribute has a **Key** and one or more comma-separated **Values**. Attributes can be used for business filters and data-driven access control.
  </Step>
</Steps>

***

## Permissions

| Permission                 | Description                              |
| -------------------------- | ---------------------------------------- |
| `org_runtime_users_read`   | View the end-users list                  |
| `org_runtime_users_write`  | Invite and manage end users              |
| `org_runtime_roles_read`   | View end-user roles                      |
| `org_runtime_roles_write`  | Create, edit, and delete end-user roles  |
| `org_runtime_groups_read`  | View end-user groups                     |
| `org_runtime_groups_write` | Create, edit, and delete end-user groups |

These permissions are available to **Organization Admin** and **Organization Owner** roles.

***

## Related resources

<CardGroup cols={2}>
  <Card title="Organization settings" icon="gear" href="/5.9/docs/saas/organization-settings">
    Overview of all organization-level settings
  </Card>

  <Card title="Roles and permissions matrix" icon="table" href="./roles-permissions-matrix">
    Complete reference for all platform roles and permissions
  </Card>

  <Card title="Swimlanes" icon="arrows-left-right" href="/5.9/docs/platform-deep-dive/user-roles-management/swimlanes">
    Configure role-based task assignment in processes
  </Card>

  <Card title="Business filters" icon="filter" href="/5.9/docs/platform-deep-dive/user-roles-management/business-filters">
    Filter data visibility based on user roles and attributes
  </Card>
</CardGroup>