diff --git a/docs/security/custom-roles.md b/docs/security/custom-roles.md
new file mode 100644
index 000000000..2d49a51e1
--- /dev/null
+++ b/docs/security/custom-roles.md
@@ -0,0 +1,37 @@
+---
+Description: Custom roles for Semaphore platform.
+---
+
+# Custom Roles
+
+If your organization needs more roles where permissions would be assigned with 
+higher granularity, you can define custom roles.
+
+### Creating a new role
+
+When defining a custom role, you need to give it a unique name (that does not clash
+with any of the default roles) and select which [permissions](/security/permissions/) will
+its users have. Role inheritance is also allowed, so you can create a new role
+**Sys Admin** that will have all the same permissions as **Developer**, for example,
+plus access to Self hosted agents (`organization.self_hosted.create`). Permissions
+for the Sys Admin role are determined "dynamically", so if you later modify the Developer role
+and add/remove some permissions from it, the Sys Admin role will reflect those
+changes.
+
+**TODO** Picture of UI for creating new role, when the ui gets made
+
+### Organization role to project role mapping
+
+If there is any role within the organization that needs to have access to all of the
+projects, you can define an "*org-role to project-role mapping*" for it. If you want your
+Sys Admins to have Admin level access to all of the projects, you can say that the Sys Admin role
+maps to the project Admin role.
+
+!!! warning "Note"
+    Custom roles are currently only available on our [enterprise plan](pricing).
+
+!!! info "Default Roles"
+    As an organization that has Custom Roles enabled, you will still have access to the default roles as well.
+
+Do you need Custom roles in order to use Semaphore? Contact us via this [form](/contact)
+
diff --git a/docs/security/default-roles.md b/docs/security/default-roles.md
new file mode 100644
index 000000000..95244b307
--- /dev/null
+++ b/docs/security/default-roles.md
@@ -0,0 +1,180 @@
+Default roles are available to all Semaphore users, regardless of the plan they are on.
+
+If you or your organization need more roles with different permissions, there is an option
+to create your own [custom roles](/security/custom-roles).
+
+### Organization roles
+<table style="background-color: rgb(255, 255, 255);">
+<thead>
+<tr>
+  <td>
+    Role name
+  </td>
+  <td>
+    Permissions
+  </td>
+  <td>
+    Notes
+  </td>
+</tr>
+</thead>
+<tbody>
+<tr>
+  <td>
+    **Guest**
+  </td>
+  <td>
+    <ul>
+      <li>Does not have any permissions within the organization, and can't see any information.</li>
+    </ul>
+  </td>
+  <td>
+    This role is intended for users that need access to some projects, but should not see
+    any information regarding the organization.
+  </td>
+</tr>
+<tr>
+  <td>
+    **Member**
+  </td>
+  <td>
+    <ul>
+      <li>Can create new projects.</li>
+      <li>Can view existing notifications.</li>
+    </ul>
+  </td>
+  <td>
+  </td>
+</tr>
+<tr>
+  <td>
+    **Admin**
+  </td>
+  <td>
+    <ul>
+      <li>Can do everything a member can.</li>
+      <li>Can view, manage, and modify everything within the organization 
+      (people, secrets, pre-flight checks,
+      notifications, etc), except general settings and financial information.</li>
+    </ul>
+  </td>
+  <td>
+    Each of the organization's Admins is also Admin within every project owned by the given organization automatically.
+  </td>
+</tr>
+<tr>
+  <td>
+    **Owner**
+  </td>
+  <td>
+    <ul>
+      <li>Can do everything within the organization, including changing general
+      settings and deleting it.</li>
+    </ul>
+  </td>
+  <td>
+    By default, this role is assigned to the user that creates the organization.
+    <br/>
+    Each of the organization's Owners is also Admin within every project owned by the given organization.
+  </td>
+</tr>
+<tr>
+  <td>
+    **Accountant**
+  </td>
+  <td>
+    <ul>
+      <li>Manages billing</li>
+    </ul>
+  </td>
+  <td>
+    This role cant access any part of the Semaphore except for pages regarding
+    spending and financial information.
+  </td>
+</tr>
+</tbody>
+</table>
+
+### Project roles
+<table style="background-color: rgb(255, 255, 255);">
+<thead>
+<tr>
+  <td>
+    Role name
+  </td>
+  <td>
+    Permissions
+  </td>
+  <td>
+    Notes
+  </td>
+</tr>
+</thead>
+<tbody>
+<tr>
+  <td>
+    **Reader**
+  </td>
+  <td>
+    <ul>
+      <li>Can view project activity, workflows, and jobs executed within those workflows.</li>
+    </ul>
+  </td>
+  <td>
+    Intended for someone who should monitor what is being done, but isn't a developer and shouldn't
+    modify anything. Perhaps an Engineering Project Manager.
+  </td>
+</tr>
+<tr>
+  <td>
+    **Contributor**
+  </td>
+  <td>
+    <ul>
+      <li>Can manually run, modify and stop workflows/jobs.</li>
+      <li>Can view project-level secrets and organization-wide secrets scoped for the given project.</li>
+      <li>Can attach to running jobs or debug jobs and projects.</li>
+      <li>Can view schedulers, project insights, and repository info.</li>
+      <li>Can manually run schedulers.</li>
+      <li>Can view, modify and delete artifacts for that project.</li>
+    </ul>
+  </td>
+  <td>
+    For developers who are currently working on the project, but aren't responsible for maintaining it
+    and setting up/modifying the environment in which the project exists.
+  </td>
+</tr>
+<tr>
+  <td>
+    **Maintainer**
+  </td>
+  <td>
+    <ul>
+      <li>Can do everything a contributor can.</li>
+      <li>Can view and manage people within the project.</li>
+      <li>Can view modify and manage project-level secrets, schedulers and, 
+      project-level pre-flight checks.</li>
+      <li>Can view and manage project settings.</li>
+    </ul>
+  </td>
+  <td>
+    Usually developers who own the project.
+  </td>
+</tr>
+<tr>
+  <td>
+    **Admin**
+  </td>
+  <td>
+    <ul>
+      <li>Can do everything within the project, including deleting it.</li>
+    </ul>
+  </td>
+  <td>
+    By default, this role is assigned to the user that created the project, and
+    this user is a primary repository token holder.
+  </td>
+</tr>
+</tbody>
+</table>
+
diff --git a/docs/security/permissions.md b/docs/security/permissions.md
new file mode 100644
index 000000000..083ff4fb5
--- /dev/null
+++ b/docs/security/permissions.md
@@ -0,0 +1,188 @@
+---
+Description: List of all permissions within the Semaphore.
+---
+
+# Permissions
+
+This page lists all permissions within the Semaphore system. This can be used
+when creating custom roles and defining what they can do. 
+
+Similar to roles, permissions are also divided into **organization-level**
+and **project-level**.
+
+!!! info "Note"
+    Some permissions are not yet part of Semaphore but will be introduced in the near future. These are marked with **✕**
+
+
+## Organization permissions
+
+<br />
+#### Organization secrets [↗](/essentials/using-secrets/)
+
+`organization.secrets.view`<br />
+<span style="font-size:smaller;">The following permissions are related to
+[secrets management](/essentials/using-secrets/#creating-and-managing-secrets).</span><br />
+`organization.secrets.create`<br />
+`organization.secrets.modify`<br />
+`organization.secrets.delete`<br />
+
+#### Audit logs [↗](/security/audit-logs/)
+
+`organization.audit_logs.view`<br />
+`organization.audit_logs.export` [↗](/security/audit-logs-exporting/)<br />
+`organization.audit_logs.streaming.view` [↗](/security/audit-logs-exporting/#streaming)<br />
+`organization.audit_logs.streaming.manage`<br />
+
+#### Self-hosted agents [↗](/ci-cd-environment/self-hosted-agents-overview/)
+
+`organization.self_hosted_agents.view`<br />
+`organization.self_hosted_agents.create`<br />
+`organization.self_hosted_agents.reset_token`<br />
+`organization.self_hosted_agents.disable`<br />
+`organization.self_hosted_agents.delete`<br />
+
+#### General settings
+
+`organization.general_settings.view`<br />
+`organization.general_settings.modify`<br />
+
+#### Organizational notifications [↗](/essentials/webhook-notifications/)
+
+`organization.notifications.view`<br />
+`organization.notifications.create`<br />
+`organization.notifications.modify`<br />
+`organization.notifications.delete`<br />
+
+#### Organizational pre-flight checks [↗](/essentials/configuring-pre-flight-checks/)
+
+`organization.pre_flight_checks.view`<br />
+`organization.pre_flight_checks.modify`<br />
+
+#### Billing
+
+`organization.plans_and_billing.view`<br />
+`organization.plans_and_billing.modify`<br />
+
+#### Dashboards [↗](/essentials/deployment-dashboards/)
+
+<span style="font-size:smaller;">These permissions don't control whether or not a user can see deployment pipelines
+defined by the dashboards, rather they control whether a user can access and modify the definition of those
+dashboards using the `sem` cli tool, as shown [here](/essentials/deployment-dashboards/#creating-a-dashboard).</span><br />
+`organization.dashboards.view`<br />
+`organization.dashboards.create`<br />
+`organization.dashboards.modify`<br />
+`organization.dashboards.delete`<br />
+
+#### Managing people
+
+`organization.people.view`<br />
+`organization.people.invite`<br />
+`organization.people.remove`<br />
+`organization.people.change_role`<br />
+
+#### Role management **✕**
+
+`organization.roles.view`<br />
+`organization.roles.create`<br />
+`organization.roles.remove`<br />
+`organization.roles.modify`<br />
+
+#### Managing how repository access levels map to Semaphore project roles **✕**
+
+`organization.repo_to_role_mappers.view`<br />
+`organization.repo_to_role_mappers.create`<br />
+`organization.repo_to_role_mappers.delete`<br />
+`organization.repo_to_role_mappers.modify`<br />
+
+#### Other permissions
+
+`organization.projects.create`<br />
+`organization.activity_monitor.view`<br />
+
+## Project permissions
+
+<br />
+#### Managing people
+
+`project.people.change_role`<br />
+`project.people.remove`<br />
+`project.people.invite`<br />
+
+#### Accessing/running jobs
+
+`project.job.view`<br />
+`project.job.rerun`<br />
+`project.job.artifacts.view`<br />
+`project.job.artifacts.delete`
+<span style="font-size:smaller;">(Grants permissions for the [job level](/essentials/artifacts/#job-artifacts) artifacts)</span><br />
+`project.job.stop`<br />
+<span style="font-size:smaller;">The follwing permissions are needed to
+access jobs via the `sem` [cli tool](/reference/sem-command-line-tool/#operations).</span><br />
+`project.job.port_forwarding`<br />
+`project.job.attach`<br />
+`project.job.debug`<br />
+`project.debug`<br />
+
+#### Project level secrets **✕**
+
+`project.secrets.view`<br />
+`project.secrets.create`<br />
+`project.secrets.modify`<br />
+`project.secrets.delete`<br />
+`project.authorized_org_secrets.list`<br /> <span style="font-size:smaller;">(List of organization level secrets
+that are whitelisted to be used within a given project)</span><br />
+
+#### Project notifications **✕**
+
+`project.notifications.view`<br />
+`project.notifications.create`<br />
+`project.notifications.modify`<br />
+`project.notifications.delete`<br />
+
+#### Schedulers [↗](/essentials/schedule-a-workflow-run/)
+
+`project.scheduler.view`<br />
+`project.scheduler.create`<br />
+`project.scheduler.delete`<br />
+`project.scheduler.modify`<br />
+`project.scheduler.run_manually`<br />
+`project.scheduler.deactivate`<br />
+
+#### Workflow
+
+`project.workflow.view`<br />
+`project.workflow.modify`<br />
+`project.workflow.rerun`<br />
+`project.workflow.stop`<br />
+`project.workflow.artifacts.view `<br />
+<span style="font-size:smaller;">(Grants permissions for the [workflow level](/essentials/artifacts/#workflow-artifacts) artifacts)</span><br />
+`project.workflow.artifacts.delete`<br />
+
+#### Artifacts [↗](/essentials/artifacts/)
+
+`project.artifacts.delete`<br />
+`project.artifacts.view`<br />
+`project.artifacts.view_settings`
+<span style="font-size:smaller;">(Grants permissions for the [project level](/essentials/artifacts/#project-artifacts) artifacts)</span><br />
+`project.artifacts.modify_settings`<br />
+
+#### Project pre-flight checks [↗](essentials/configuring-pre-flight-checks/#project-pre-flight-checks)
+
+`project.pre_flight_checks.view`<br />
+`project.pre_flight_checks.modify`<br />
+
+#### Project insights 
+
+`project.insights.view`<br />
+`project.insights.modify`<br />
+
+#### Project settings and other permissions
+
+`project.view`<br />
+`project.delete`<br />
+`project.general_settings.view`<br />
+`project.general_settings.modify`<br />
+`project.repository_info.view`<br />
+`project.repository_info.modify`<br />
+`project.badge.view`<br />
+`project.badge.manage`<br />
diff --git a/docs/security/rbac-authorization.md b/docs/security/rbac-authorization.md
new file mode 100644
index 000000000..1232533f4
--- /dev/null
+++ b/docs/security/rbac-authorization.md
@@ -0,0 +1,69 @@
+---
+Description: This page explains the RBAC model that Semaphore 2.0 uses for user authorization. Here, you will find information about existing permissions, roles, and role management.
+---
+
+# Rbac model
+
+Semaphore 2.0 uses a **Role-Based Access Control** model for user authorization.
+This page will give a brief overview of permissions, roles, and how to manage them.
+
+## Roles on Semaphore
+
+All of the roles (and permissions) within the Semaphore are divided into __organization-level__ and __project-level__.<br />
+Organization-level roles define access to functionalities and assets that apply to the entire organization (Audit Logs, Billing, 
+Organization Members, Projects, etc.).<br/>
+On the other hand, project-level roles are assigned within a single project, and grant access
+to information scoped only to that one project (Schedulers, Insights, Workflows, Artifacts).
+To get any project-level role, you have to be a part of the organization
+which owns that project (you must have a role within the organization).
+
+There is a set of pre-defined [default roles](/security/default-roles) that are available to all users, but there is also
+a possibility to define your own [custom roles](/security/custom-roles).
+
+## Role Management
+
+#### Organization roles
+
+To be considered a part of the organization, the user must have a role within that organization.
+Each user can have up to one role assigned to them directly. Other than that
+users can have one role within the organization assigned to them indirectly through each of the groups
+they are a part of.<br/>
+If the user has more than one role, all permissions those roles grant are combined to
+make a full set of permissions the user has within the given organization.
+
+#### Organization role to project role mappings
+
+Some organization roles can grant you automatically a project-level role on each project
+that the organization owns. For example, the Organization Admin role makes you an Admin on all
+of the organization's projects. To see which organization roles grant you project-level
+access, see the "*Notes*" column of [this table](/security/default-roles/#organization-roles).
+
+#### Project roles
+
+Project role assignment works similarly to the organization role assignment, only there
+are two additional ways a user can get a role within the project.<br/>
+If the user has access to the project's remote repository, that automatically grants them
+a role within the Semaphore project according to these ["*repo-to-role mapping*"
+rules](/security/repository-to-role-mappings/).<br/>
+Next, each organization-level role can grant access to the organization's projects, as mentioned
+[above](organization-role-to-project-role-mappings). Finally, user can be assigned a role
+within the project directly (from projects Admin or Maintainer), and can also get a role through
+ membership in the group which was assigned a role within the given project.
+
+**Example**:<br/> *Owen* has access to the project's GitHub repository, which automatically makes him
+a Contributor to that project on Semaphore. He is the organization's Admin, which makes him Admin on
+all of the organization's projects, and someone assigned him directly the role of Maintainer.
+So, *Owen* has three roles within this project: Contributor, Admin, and Maintainer, and
+same as with organization roles, the sum of permissions that those roles grant make a total set
+of permission *Owen* has within this project. 
+
+#### Retracting roles
+
+Only roles that were assigned to a user directly can be retracted. If the user has a role
+through a membership in some group, he either has to be removed from the group, or
+the role has to be retracted from the entire group.
+
+If a project role was assigned through access to the remote repository, the only way to remove that
+role is to remove the user from the repository, and if it was assigned through an organization-level
+role, that role has to be retracted.
+
diff --git a/docs/security/repository-to-role-mappings.md b/docs/security/repository-to-role-mappings.md
new file mode 100644
index 000000000..e90a9ce57
--- /dev/null
+++ b/docs/security/repository-to-role-mappings.md
@@ -0,0 +1,89 @@
+---
+Description: This page describes how access to remote repository grants you access to Semaphore projects.
+---
+
+# Repository-to-role mappings
+
+On Semaphore, each project has to stem from a code base on a remote repository, like GitHub
+or Bitbucket. Semaphore keeps track of all accounts that have access to those remote
+repositories (collaborators), and if any of them is associated with a Semaphore account, that
+Semaphore user is given access to the project (if he is a member of the organization which owns it).
+
+## Rules for assigning project roles
+
+Depending on user's premissions within the remote repository, a different role
+is assigned to them on the Semaphore project.
+
+#### GitHub:
+
+<table style="background-color: rgb(255, 255, 255);">
+<thead>
+<tr>
+  <td>Repository permission level</td>
+  <td>Semaphore project role</td>
+</tr>
+</thead>
+<tbody>
+<tr>
+  <td>
+    Admin
+  </td>
+  <td>
+    Maintainer
+  </td>
+</tr>
+<tr>
+  <td>
+    Push
+  </td>
+  <td>
+    Contributor
+  </td>
+</tr>
+<tr>
+  <td>
+    Pull
+  </td>
+  <td>
+    Reader
+  </td>
+</tr>
+</tbody>
+</table>
+
+#### Bitbucket:
+
+<table style="background-color: rgb(255, 255, 255);">
+<thead>
+<tr>
+  <td>Repository permission level</td>
+  <td>Semaphore project role</td>
+</tr>
+</thead>
+<tbody>
+<tr>
+  <td>
+    Admin
+  </td>
+  <td>
+    Maintainer
+  </td>
+</tr>
+<tr>
+  <td>
+    Write
+  </td>
+  <td>
+    Contributor
+  </td>
+</tr>
+<tr>
+  <td>
+    Read
+  </td>
+  <td>
+    Reader
+  </td>
+</tr>
+</tbody>
+</table>
diff --git a/mkdocs.yml b/mkdocs.yml
index 1a558edea..0ad4236a9 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -204,6 +204,12 @@ nav:
       - Audit logs: security/audit-logs.md
       - Audit logs exporting: security/audit-logs-exporting.md
       - Audit Events reference: security/audit-events-reference.md
+    - "User authorization":
+      - RBAC overview: security/rbac-authorization.md
+      - Permissions: security/permissions.md
+      - Default roles: security/default-roles.md
+      - Custom roles: security/custom-roles.md
+      - Repo-to-role mapping: security/repository-to-role-mappings.md
   - FAQ:
     - FAQ: faq/faq.md
     - Managing projects: faq/managing-projects.md