Roles and Permissions
Zus uses role-based access control (RBAC) to manage what users and App Clients can do. Every user and App Client is assigned exactly one role at creation time, and that role determines which Zus services and endpoints they can access — and which operations (read, create, update, delete) they can perform.
Zus provides three built-in roles. Custom roles are not currently supported.
Choosing a role
Use this table to pick the right role. Details for each role follow below.
| Role | Assign to | Can manage users & App Clients? | Can access patient data? |
|---|---|---|---|
| Builder Admin | Engineers, admins, M2M App Clients that manage your Builder account | ✅ | ✅ Full read/write on all allowed FHIR resources |
| Care Team User | Clinicians and operational users who work with patients but shouldn't change account settings | ❌ | ✅ Read all allowed resources; write a limited set |
| Permissionless | Users you need to fully revoke (see important caveat) | ❌ | ❌ |
Not sure between Builder Admin and Care Team User for an M2M App Client?Builder Admin is the typical choice for backend services. Use Care Team User only when the App Client should be limited to patient-facing operations and explicitly should not manage account settings.
Builder Admin
Full administrative access within a Builder account. Assign this role to engineers, account administrators, and most machine-to-machine App Clients.
A Builder Admin can:
- Manage FHIR data — read, create, update, and delete all FHIR resource types, except for certain Conformance, Terminology, and Security resource types that Zus manages on your behalf.
- Manage identities — read, create, update, and delete users and App Clients within the Builder account.
- Access partner Builders — if your Builder has Cross-Builder Grants in place, Builder Admins can also read data from those partner Builders.
Care Team User
Patient-data access without administrative power. Assign this role to clinicians, care coordinators, and other operational users who need to work with patient records but shouldn't be able to change account configuration or manage other users.
A Care Team User can:
- Read all FHIR resource types (with the same Conformance / Terminology / Security exceptions as Builder Admin).
- Create, update, and delete a limited set of clinical resource types — currently Patient, CarePlan, CareTeam, and Goal.
A Care Team User cannot:
- Create, update, or delete users or App Clients.
- Modify Builder account configuration.
Permissionless
No access to Zus UIs or APIs. Assign this role to users you want to fully revoke — for example, an employee who has left your organization.
Permissionless does not revoke Snowflake accessIf your organization uses a Zus-hosted Snowflake reader account, changing a user's role to Permissionless does not remove their Snowflake access. To fully offboard a user, you must also email [email protected] and ask to have them removed from Snowflake.
What's not covered by roles
Roles control access within a single Builder account. They do not govern:
- Cross-Builder access — handled separately via Cross-Builder Grants.
- Snowflake access — managed by Zus support, as noted above.
- SSO and password policies — configured at the Builder level, independent of role assignment.
Updated 8 days ago