# Create and manage roles > Create custom RBAC roles in F5 NGINX Instance Manager to grant users and groups precisely the permissions they need. ## Overview F5 NGINX Instance Manager emphasizes role-based access control (RBAC) to manage user permissions. A predefined `admin` role is available for initial setup and administration, but you can create custom roles to match specific responsibilities, such as for API Owners or Infrastructure Admins. This lets organizations fine-tune access and permissions to suit their needs. ## Create roles {#create-roles} Roles in NGINX Instance Manager are a critical part of [role-based access control (RBAC)](/nim/admin-guide/rbac/overview-rbac.md). By creating roles, you define the access levels and permissions for different user groups that correspond to groups in your Identity Provider (IdP). NGINX Instance Manager includes a built-in administrator role called `admin`. You can create additional roles as needed. The `admin` user or any user with `CREATE` permission for the **User Management** feature can create a role. Follow these steps to create a role and set its permissions: 1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. 1. Select the **Settings** (gear) icon in the upper-right corner. 1. From the left navigation menu, select **Roles**. 1. Select **Create**. 1. On the **Create Role** form, provide the following details: - **Name**: The name to use for the role. - **Display Name**: An optional, user-friendly name to show for the role. - **Description**: An optional, brief description of the role. 1. To add permissions: 1. Select **Add Permission**. 2. Select the NGINX Instance Manager module you're creating the permission for from the **Module** list. 3. Select the feature you're granting permission for from the **Feature** list. To learn more about features, see [Get started with RBAC](/nim/admin-guide/rbac/overview-rbac.md). 4. Select **Add Additional Access** to choose a CRUD (Create, Read, Update, Delete) access level. - Select the access level(s) you want to grant from the **Access** list. 5. Select **Save**. 1. Repeat step 6 if you need to add more permissions for other features. 1. When you've added all the necessary permissions, select **Save** to create the role. #### Example scenario Suppose you need to create an "app-developer" role. With this role, users can create and edit applications but not delete them or do administrative tasks. Name the role `app-developer`, select the relevant features, and grant permissions that align with the application development process while restricting administrative functions. ## Edit roles {#edit-roles} To modify an existing role in NGINX Instance Manager, follow these steps: 1. In a web browser, go to the FQDN of your NGINX Instance Manager host and log in. 2. Select the **Settings** gear icon in the upper-right corner. 3. From the left navigation menu, select **Roles**. 4. From the list, select the role you want to update. 5. Select **Edit Role** and make changes to any of the editable fields if needed: - **Display name**: an optional, user-friendly name for the role - **Description**: an optional, brief summary of the role 6. To add new permissions to the role: 1. Select **Add Permission**. 2. In the **Module** list, select the relevant module. 3. In the **Feature** list, select the feature you're assigning permissions for. 4. Select **Add Additional Access** to grant a CRUD (Create, Read, Update, Delete) access level. - In the **Access** list, select the access level(s) you want to assign. 5. Select **Save**. 7. To edit an existing permission, select **Edit** next to the permission name. 1. In the **Edit Permission** form, modify the **Module**, **Feature**, or access levels as needed. 8. After making your changes, select **Save**. ## Next steps ### Assign roles to users or user groups Once you’ve created roles, assign them to users or user groups to ensure that permissions align with responsibilities. This helps maintain clear and organized access control. - [Assign roles to users or user groups](/nim/admin-guide/rbac/assign-roles.md)