# Owners and Members

## Overview

Every collection has two membership roles: **owner** and **member**. These roles control *who* can access a collection, while [account-level roles](/docs/organization-and-security/roles-and-permissions.md) control *what* they can do once inside it. Together, the two layers let you grant broad platform capabilities to a user while limiting where those capabilities apply.

<figure><picture><source srcset="/files/gMzRTwfQsV70BHMdyvdq" media="(prefers-color-scheme: dark)"><img src="/files/Xno3U2EbNItirNYaoAxA" alt=""></picture><figcaption></figcaption></figure>

## How account roles and collection membership work together

A user's effective permissions in a collection are the intersection of their account-level role and their collection membership. The account role defines the ceiling (create packages, run deployments, view resources), and membership opens the door to a specific collection.

For the full permissions matrix and recommended role mappings, see [Roles and Permissions](/docs/organization-and-security/roles-and-permissions.md).

{% hint style="info" %}
Admins bypass membership checks. They can manage any collection, even if they are not listed as an owner or member.
{% endhint %}

## Owners

Every collection must have at least one owner. The user who creates a collection is automatically assigned as its first owner.

Owners have full control over the collection, including:

* Managing member access and roles
* Editing collection properties, secrets, and cloud connections
* Approving runs when the [Owner Approval policy](/docs/orchestration/collections/policies.md) is active
* Transferring ownership to another user
* Deleting the collection

Owners provide the governance layer that keeps collections secure and aligned with organizational policies. When the Owner Approval policy is enabled on a collection, only owners of that collection can approve runs before they proceed. For details on configuring this policy, see [Policies](/docs/orchestration/collections/policies.md).

Admins, Builders, and Deployers can all be assigned as collection owners. A Deployer who is an owner can approve runs, but they still can't edit collection settings or create collections since those require a Builder or Admin account role. Viewers cannot be owners.

{% hint style="info" %}
A collection can have multiple owners. This is recommended for redundancy so that approvals and administrative actions are not blocked by a single person's availability.
{% endhint %}

## Members

Members are users who have been granted access to a collection. A member's effective permissions depend on their account-level role:

* A member with the **Builder** role can create and publish packages and run deployments in the collection
* A member with the **Deployer** role can initiate runs but cannot modify packages or collection settings
* A member with the **Viewer** role can browse environments and resources in the collection but cannot make changes

Members cannot manage collection settings (properties, secrets, cloud connections, policies, or membership). Those actions require owner or Admin access.

**Example:** a development team might be added as members with the Builder role in a `staging` collection so they can deploy freely, while only a platform lead is assigned as owner of the `production` collection to enforce tighter governance.

## How to manage owners and members

Owners and members are managed from the collection detail page in the Bluebricks app.

{% hint style="info" icon="user-key" %}
Only admins and collection owners can add, remove, or change membership roles.
{% endhint %}

{% hint style="info" %}
You can also invite new users directly from the collection page using **Invite teammates** in the **Assigned users** section. This opens the invite modal with the collection pre-selected. See [How to invite users](/docs/organization-and-security/roles-and-permissions.md#how-to-invite-users) for the full flow.
{% endhint %}

<details open>

<summary>Add a member</summary>

1. Open the **Collections** page and select your collection
2. Go to the **Overview** tab
3. In the **Assigned users** section, click **Edit**
4. Select the user you want to add and click **Save**

New users are added as members by default.

</details>

<details>

<summary>Change a user's collection role</summary>

1. Open the collection's **Overview** tab
2. In the **Assigned users** section, find the user
3. Click the **three-dot menu** next to their name
4. Click **Change to owner** or **Change to member**

</details>

<details>

<summary>Remove a user from a collection</summary>

1. Open the collection's **Overview** tab
2. In the **Assigned users** section, find the user
3. Click the **three-dot menu** next to their name and click **Remove**

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bluebricks.co/docs/orchestration/collections/owners-and-members.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.