# Manage Members & Role Bindings

A Member's access changes over time as roles are added and removed. This page covers the day-to-day mechanics: granting access, narrowing it, revoking it entirely, and auditing what a given Member can currently do.

If you're setting up a Member for the first time, [Build a Service Account](/guides/security-model/build-a-service-account) walks through that from scratch.

## Add a role to a member

To grant additional capability, bind another role. This endpoint replaces the member's role bindings entirely, so read the current list first, add the new role, then send the complete result. Any role omitted from the list will be removed:

Effective access is always the union
A new role only ever adds capability — it cannot carve an exception out of a role the member already holds. To reduce access, remove a binding; don't add one to restrict another.

## Remove a role from a member

When you update a member's roles, the list you send becomes their complete set of role bindings — not an addition to what they already have. To remove a role, send the full list of roles the member should keep, leaving out only the one you want to remove.

Roles not in the list are dropped
Only the roles you include in the `role_binding` array will remain. If a member currently holds `["provisioning-service-accounts", "provisioning-service-token-issuer"]` and you PUT with only `["provisioning-service-accounts"]`, the `provisioning-service-token-issuer` role is permanently removed.

If you want to remove a single role without reading the current list first, use the `PATCH` endpoint instead — it supports targeted JSON Patch operations that leave all other bindings untouched.

## Revoke a member's access

Three options depending on the intended outcome:

| Option | How | When to use |
|  --- | --- | --- |
| Remove all role bindings | Update with empty `RoleBinding` | Member should still exist but have no access |
| Disable the member | Set `options.options: ["disabled"]` | Member is temporarily suspended |
| Delete the member | `client.Members.Delete` | Member should no longer exist |


To disable without deleting:

## Audit a member's current access

To determine everything a member can do, reconstruct the member's effective access from their role bindings:

1. Fetch the Member and read its current `RoleBinding` list.
2. For each role name, check its permission set and resource restriction via the [Roles API](https://docs.synqly.com/api-reference/management/roles).
3. If you need the exact actions a permission set grants, query the [Permission Sets API](https://docs.synqly.com/api-reference/management/permissionset).