# Administrative-based Policies

### Manage group and policies * Read-only: User will be able to see all groups and policies but unable to modify, add new or delete groups or policies. * Create: User able to create new groups and add new policies in groups. * Edit: User able to edit existing groups and modify existing policies in groups. * Delete: User able to delete groups or remove existing policies in groups. {% hint style="danger" %} This policy gives the user the ability to upgrade or downgrade their own access as they can add themselves to groups and attach policies. Use with caution. {% endhint %} ### Manage access for organization * Read-only: User will be able to see all users in the organization but unable to invite, deactivate or revoke invites. * Invite Users: User able to invite other users to organization. * Deactivate/Re-activate users: User able to deactivate/re-activate other users. * Revoke invites: User able to revoke invite of users who are still pending signup. ### Manage data sources * Read-only: User will be able to see the Data Source tab, and see all data sources but unable to modify, add new sources or delete existing sources. * Edit: User can enable/disable data sources, modify credentials and additional configurations. * Create: User can add new data sources. * Delete: User can delete data sources. ### Manage Config Default settings * Read-only: User will be able to see the Configure Alerts tab but not able to edit. * Edit: User will be able to edit the email, Slack or webhooks settings. ### Manage Domains * Create Domains: User able to create a domain. {% hint style="info" %} Note that all domain-based policies reside in the Domain Memberships itself and this permission is the administrative level of creating a domain only. [Read more on the Domain memberships here](https://docs.decube.io/group-access-policies/broken-reference). {% endhint %}