zitadel/site/docs/administrate/03-projects.en.md

---
title: Projects
---

### What are projects

The idea of projects is to have a vessel for all components who are closely related to each other.
In ZITADEL all clients located in the same project share their roles, grants and authorizations.
From a access management perspective you manage who has what role in the project and your application consume this information.
A project belongs to exactly one organisation.
The attribute project role assertion defines, if the roles should be integrated in the tokens without sending corresponding scope (urn:zitadel:iam:org:project:role:{rolename})
With the project role check you can define if a user should have a requested role to be able to logon.

**Clients**

Clients are described here [What are clients](administrate#What_are_clients)
Basically these are you applications who initiate the authorization flow.

**Roles**

[Roles (or Project Roles)](administrate#Roles) is a mean of managing users access rights for a certain project.
These [roles](administrate#Roles)  are opaque for ZITADEL and have no weight in relation to each other.
So if a [user](administrate#Users) has two roles, admin and user in a certain project, the information will be treated additive.

**Grants**

With ZITADEL it is possible to give third parties (other organisations) the possibility to manage certain roles on their own.
To achieve this the owner of a project can grant (some could say delegate) certain roles or all roles to a organisation.
After granting that organisation it can manage on its own which user has what roles.
This feature is especially useful for service providers, because they are able to establish a great self-service culture for their business customers.

**Authorizations** 

#### Project vs. granted Project

The simple difference of a project vs a granted project is that a project belongs to your organisation and the granted project belongs to a third party who did grant you some rights to manage certain roles of their project.
To make it more easily to differentiate ZITADEL Console displays these both as separate menu in the project section.

### Manage a project

> Screenshot here

#### RBAC Settings

- Authorisation Check option (Check if the user at least has one role granted)
- Enable Project_Role Assertion (if this is enabled assert project_roles, with the config of the corresponding client)

#### Define project specific roles

> Screenshot here

### Grant project to a third party

> Screenshot here

### Audit project changes

> Screenshot here
chore(documentation): documentation and manuals for ZITADEL (#710) * chore: cleanup old docs folder * remove docs path trigger * wip docs structure * chore: ignore site changes in ci * add manuals route * new structure * structure * Use correct title * remove trigger for code scan for static site generator * change names * add lorem ipsum to test styling * use h3 to deeplink * add site to dependabot * lint readme.md * remove not needed file * ignore site on pull request code scan * add initial contrib * Minor correction * Added section Developer & Integration * Changed link list layout, added labels, added translations * Added missing <li> tags * Added correct link to section Developer & Integration * Fixing list style * Overhauling description texts and translations * outline * teaser go * outline * wip * rework * wip * wip * wip * hop * wip * first draft for "administrate" done * init outline * fix deploy step * lint * commit wip * commit wip * md lint * Link * fix: path to edit (#711) * wip * wip * wip * what are... * use only features * wip docs * Update 00-user.en.md * project * uppercase en * wip * wip * wip * policies rework * improve text * correct typo * update readme * correct styling * add link to docs guides * make the linter happy * rename * wip * move api to own file * correct links and lint * wip roles and integration * add pkce * reduce padding and margin * wip scope and claims * wip claim & scopes * make the linter happy * insert links where possible * wip * wip roles & providers * Update README.md * Update 00-user.en.md * minor text improvements * use master branch to deploy * use proper ci file * Apply suggestions from code review Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Matthias M. Schneider <mati@matimax.info> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> 2020-10-16 12:13:02 +00:00			`---`
			`title: Projects`
			`---`

			`### What are projects`

			`The idea of projects is to have a vessel for all components who are closely related to each other.`
			`In ZITADEL all clients located in the same project share their roles, grants and authorizations.`
			`From a access management perspective you manage who has what role in the project and your application consume this information.`
			`A project belongs to exactly one organisation.`
			`The attribute project role assertion defines, if the roles should be integrated in the tokens without sending corresponding scope (urn:zitadel:iam:org:project:role:{rolename})`
			`With the project role check you can define if a user should have a requested role to be able to logon.`

			`Clients`

			`Clients are described here [What are clients](administrate#What_are_clients)`
			`Basically these are you applications who initiate the authorization flow.`

			`Roles`

			`[Roles (or Project Roles)](administrate#Roles) is a mean of managing users access rights for a certain project.`
			`These [roles](administrate#Roles) are opaque for ZITADEL and have no weight in relation to each other.`
			`So if a [user](administrate#Users) has two roles, admin and user in a certain project, the information will be treated additive.`

			`Grants`

			`With ZITADEL it is possible to give third parties (other organisations) the possibility to manage certain roles on their own.`
			`To achieve this the owner of a project can grant (some could say delegate) certain roles or all roles to a organisation.`
			`After granting that organisation it can manage on its own which user has what roles.`
			`This feature is especially useful for service providers, because they are able to establish a great self-service culture for their business customers.`

			`Authorizations`

			`#### Project vs. granted Project`

			`The simple difference of a project vs a granted project is that a project belongs to your organisation and the granted project belongs to a third party who did grant you some rights to manage certain roles of their project.`
			`To make it more easily to differentiate ZITADEL Console displays these both as separate menu in the project section.`

			`### Manage a project`

			`> Screenshot here`

			`#### RBAC Settings`

			`- Authorisation Check option (Check if the user at least has one role granted)`
			`- Enable Project_Role Assertion (if this is enabled assert project_roles, with the config of the corresponding client)`

			`#### Define project specific roles`

			`> Screenshot here`

			`### Grant project to a third party`

			`> Screenshot here`

			`### Audit project changes`

			`> Screenshot here`