# Authorization overview >SInce 7.0 MetalSoft implements both Role-based Access Control and Attribute-Based Access control. ## Concepts and relationships These are the elements that control access to resources: * An **User** can be assigned a single Role at a time. The default role for **Users** is the built-in "User" role. * A **Role** has one or more **Permissions**. **Roles** are shared across multiple users. * A **Permission** is described by: * a **Subject** (a VM, A Server etc.) * an **Actions** (Create, List, Read etc.) * a list of **Fields** (such as "label". These are the fields on the Subject's object that can be manipulated) * A list of **Conditions** such as `{ status: { $in: ['deployed', 'active'] } }` ## Roles and Permissions MetalSoft provides a series of built-in **Roles** and **Permissions** and allows the creation of custom ones. * [Built-in roles and permissions](built_in_roles_and_permissions) * [Custom permissions](custom_permissions) ## Authentication methods Separately, MetalSoft uses multiple forms of authentication: 1. Built-in 2. LDAP-based 3. SAML-based More than one form of authentication can be active at any given time. Use `Global Configurations` > `Authentication` to manage them. Consult [Authentication Overview](/content/configuration/users_and_permissions/authentication_overview) for more details. ## Resource ownership Many resources have an owner associated with them. In that case some resources (such as OS templates and Workflows) will not be visible to the other admins until they are published. This is controlled by a property called visibility. Set the visibility to 'public' to share the resource with other users. ## The "Billable" account Only infrastructures that are owned by a `Billable` account can be deployed. Normally in an organization only one account will have Billing activated such as by adding a credit card. This flag can also be used by an external Billing system to determine who needs to be invoiced. ## User limits Users also have various **Limits** associated with them such as the maximum number of servers an account can provision. These are added to prevent abuse or Denial-of-Service type attacks. Use the **Users & Permissions//Limits** section to change these limits. ## Accounts An account typically maps to a company that has multiple Users and includes billing information. Default **Limits** can be set on the Account and all Users will inherit those custom limits. ## Delegation To simplify permission management users can share access to specific Infrastructures to other users via the Infrastructure > Infrastructure Settings > Sharing as well as share their entire account.