# Roles Roles, when assigned to users, provide users with access to resources. A role is a collection of permissions that are granted to the users that are assigned to that role. To assign users to roles in the Admin UI, you can simply go to the user in question, open the **Roles** tab, search your roles list, and add them. In the CLI, you can use the `sdm admin users` command. In order to add permissions to a role, use [access rules](#access-rules). Access rules provide two methods by which to assign access permissions to a role. Static access rules are manually assigned permissions. Dynamic access rules provide permissions for resources based on tags and resource types chosen. A list (in table format) of existing roles is displayed on the **Roles** page in the Admin UI. You can sort the table of roles in your organization by clicking on column headers. Clicking a column header sorts the table by the values in that column, in ascending order. Clicking again on the same header reverses the sorting direction. #### Suspended Users in the **Suspended** role cannot log in or access any datasources or servers. ### Access Rules In order to add permissions to a role, you use access rules. Access rules provide two methods by which to assign access permissions to a role. Static access rules are manually assigned permissions. Dynamic access rules provide permissions for resources based on tags and resource types chosen. #### Access rule editor Access rules are the building blocks of roles. You can add, edit, or delete access rules within a role. Navigate to the **Principals** > **Roles** page, and then look at a role (or create a new one). To edit an existing access rule, click **edit**. To delete an access rule, click **edit** and once the Edit view is open, click **Delete Access Rule**. Each role can comprise up to 10 access rules. The access rule editor can create both static access rules and dynamic access rules. #### Static access rules Static access rules are the method by which you can assign access to specific resource(s) to a role, one at a time from a list of checkboxes. You can select up to 2000 resources per rule. #### Dynamic access rules Dynamic access rules provide the tool set to dynamically assign resource access to members of the role. Each dynamic access rule is made up of two properties: * **Resource type**: You can choose a specific type of resource, such as a MySQL databases or EKS clusters, or you can choose **All resource types**. * **Resource tags**: Tags are key-value pairs assigned to resources. An access rule may include up to 20 tags. {% hint style="info" %} A dynamic access rule will grant access to all resources that meet **all** of the criteria specified in its properties. Dynamic access rules are an "and" relationship internally, not "or." For example, specifying one database type and two tags will grant access only to resources that are of that database type and have both of those tags. {% endhint %} The access rule editor indicates if there are no resources that currently match your criteria. If there are matching resources, it indicates how many. {% content-ref url="import-roles" %} [import-roles](https://docs.strongdm.com/admin/access/import-roles) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/access/roles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.