Roles
=====

a user can be:

Regular User
Site Admin
Org Admin
User on a Team
  
Regular User
============

* can login
* can logout
* can change some user info but not their username (can change pass)

Site Admin
==========

* probably installed the platform from a playbook before using the tool
* can make user accounts 
* can promote users to site admin (or remove that)
* can add existing users to any organization
* is automatically an admin of all orgs
 
Org Admin
=========

* can create users (they are auto assigned to the org)
* can kick users out of the org
* can promote users to org admin or demote them
* can create an inventory source
* can share an inventory source with a team or user with set permissions
  - ability to edit
  - ability to push
  - ability to run in check mode
  - ability to view
  - ability to see log data
* can create a project in the org
* can create a team in the org
* can associate a project with one or more teams in the org
* can add users to projects or take them away

A Project
=========
* has a git repository path (previously unused or used exactly once in DB)
* may have credentials

A Credential
============
* ssh key location (new or only used once)
* ssh unlock
* password
* sudo password
* pem file location (new or only used once)

A User
======
* can login
* can logout
* may have credentials
* can push to any inventory source (or check, view, etc) if they have permission on that source via a team membership, directly, an org membership, etc.  The links to do so are found in the context of the project.  A user may acquire permissions on an inventory source via multiple routes.  Permissions are usually locked around a particular project.
* can view logs on hosts if they have similar permissions on that inv. source