> ## Documentation Index > Fetch the complete documentation index at: https://docs.murmur.dev/llms.txt > Use this file to discover all available pages before exploring further. # Permissions Guide > The default permission set every Murmur tenant ships with, what each capability covers, and how to promote a non-admin user to tenant admin. GitHub org owners are automatically tenant admins in Murmur. That covers most cases, but sometimes you need to grant admin scope to someone who isn't (and shouldn't be) a GitHub org owner: a backend engineer who manages your [Workspaces](/concepts/workspaces), a service account that automates billing, a bot that needs to manage tenant [secrets](/concepts/secrets). This guide walks through doing that safely. The full permission model (every kind, every verb, wildcard rules, evaluation order) lives in [Authorization](/security/authorization). This page is the practical "grant or revoke admin" recipe. **Before you start**, you need admin yourself, or these three specific permissions: `tenant-binding.create`, `tenant-binding.edit`, and `role.read`. In a brand-new tenant, the first GitHub org owner runs the commands below and then delegates outward from there. ## 1. Create the binding A user becomes a tenant admin when they're bound to the `murmur-tenant-admin` role, which grants `*` (every permission on every resource). You can bind a single user directly, or bind a group and manage membership separately. Groups are recommended for anything beyond one person, because you can add or remove members later without touching the binding itself. ### A single user Apply with [`murmur set`](/cli/set): ```bash theme={null} cat <<'EOF' | murmur set tenant-binding jane-tenant-admin name: jane-tenant-admin grant: users: [jane] role: murmur-tenant-admin EOF ``` The username is the GitHub login. No `github_oauth/` prefix. ### A group (recommended for teams) Create the group first, then bind it: ```bash theme={null} cat <<'EOF' | murmur set group platform-admins name: platform-admins static: members: [jane, bob] EOF cat <<'EOF' | murmur set tenant-binding platform-admins-tenant-admin name: platform-admins-tenant-admin grant: groups: [platform-admins] role: murmur-tenant-admin EOF ``` To onboard or offboard someone later, edit the group, not the binding. This keeps your bindings stable, makes membership changes easy to review, and means a future audit of "who is an admin?" answers itself. ## 2. Verify the promotion took Before you walk away, confirm it actually worked. [`murmur check-permissions`](/cli/check-permissions) answers `yes` or `no` for each verb you list and shows you which binding produced the result: ```bash theme={null} # Run as the newly-promoted user murmur check-permissions tenant-binding.create role.create secret.create ``` A successful promotion shows `yes` on every check with `Reason: root` (the `murmur-tenant-admin` role grants `*`). Spot-check a handful of sensitive verbs (`tenant-binding.create`, `secret.create`, `pool-config.edit`) instead of trying to enumerate every kind. If one returns `no`, the binding probably points at a misspelled role or a group the user isn't actually in. ## 3. Audit who has admin Anyone with `tenant-binding.create` can promote others, including (in theory) promoting themselves to keep access if you remove them. Audit periodically with [`murmur get`](/cli/get): ```bash theme={null} murmur get tenant-binding ``` Look for any binding that points at `murmur-tenant-admin` or `murmur-root`. Both grant universal access. The GitHub org-owner binding is automatic and shows up under the `murmur-org-admins` group, which resolves dynamically against GitHub at evaluation time, so changes in GitHub propagate without needing a Murmur update. ## Revoke admin For a single-user binding, delete it with [`murmur rm`](/cli/rm): ```bash theme={null} murmur rm tenant-binding jane-tenant-admin ``` For a group-based grant, you have two options. Delete the binding (revokes admin from everyone in the group at once): ```bash theme={null} murmur rm tenant-binding platform-admins-tenant-admin ``` Or keep the binding and just remove the user from the group: ```bash theme={null} cat <<'EOF' | murmur set group platform-admins name: platform-admins static: members: [jane] # bob removed EOF ``` To revoke admin from a GitHub org owner, you remove them from the GitHub org. The `murmur-org-admins` group is dynamic and stays in sync with GitHub, so the change takes effect on their next request without any Murmur action. ## Related Full permission model, built-in roles, every kind and verb. Service Profiles for Flights and automated agents.