# Users and Permissions {#iam-overview}

## Organizations and Users {#org-user-relationship}

Shisho Cloud byGMO and Takumi byGMO are built around the **organization** as the primary unit. A single user account can belong to multiple organizations, and a single organization can have multiple users. Organizations and users form a many-to-many relationship.

```mermaid
graph LR
    subgraph Users[Users]
        UA[User A]
        UB[User B]
        UC[User C]
    end
    subgraph Orgs[Organizations]
        OX[Organization X]
        OY[Organization Y]
    end
    UA --- OX
    UA --- OY
    UB --- OX
    UC --- OY
```

As shown above, the same user can participate as a member of multiple companies, business units, or project-scoped organizations at the same time. Roles granted to a user are scoped independently per organization.

## Per-organization RBAC {#per-org-rbac}

Within each organization, **role-based access control (RBAC)** is applied to users and to **teams** that group multiple users together. Whether a given user can use a given capability (Assessment, Guard, Runner, console settings, etc.) is determined by the roles assigned to that user or to the teams they belong to, within that organization.

A single user or team can be **assigned multiple roles at the same time**. The diagram below shows an example role layout within Organization X.

```mermaid
graph LR
    subgraph Org[Organization X]
        UA[User A]
        UB[User B]
        T1[Team T]

        UA --> R_Owner[Owner]
        UA --> R_TakumiMgr[Takumi Manager]
        UB --> R_Member[Member]
        T1 --> R_Triager[Triager]
        T1 --> R_GuardUser[Takumi Guard User]
    end
```

Because role design is independent per organization, role assignments in another organization are completely separate. The same user can hold, say, an administrator role in Organization X and a read-only role in Organization Y at the same time.

## Dig deeper {#dig-deeper}

Pick the topic you want to dive into:

- To manage permissions for multiple users at once, or to grant permissions per department, see **[Team](/docs/c/iam/team.md)**.
- To see which roles are available and what each one can do, see **[Roles and Permissions](/docs/c/iam/permission.md)**.
- To harden the authentication on an individual account, see **[Multi-Factor Authentication](/docs/c/iam/mfa.md)**.
- To enable SSO (SAML) across your organization, see **[SAML Single Sign-On](/docs/c/iam/saml-config.md)**.