# What are our standard roles? Within each account, we create a standard set of roles. Each role name is made up of two parts: the name of the account, and the role suffix. For example, `workflow-developer` has the account name `workflow` and the role suffix `developer`. This is a list of our standard roles: | role suffix | example role | what it allows | | ----------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | admin | workflow-admin | Complete access to the account. This is a superuser role that can do anything. | | developer | platform-developer | Complete access, bar a handful of destructive actions (e.g. deleting S3 buckets). This also doesn’t allow configuring IAM users. | | read\_only | digitisation-read\_only | Provides read-only access to most of the account. This doesn't include access to secrets in Secrets Manager. | | ci | identity-ci | Provides the permissions that CI needs to do things in this account (e.g. publishing Docker images to ECR). Usually used by CI instances only. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wellcomecollection.org/aws-account-setup/users-iam-roles-accounts-and-so-on/what-are-our-standard-roles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.