diff --git a/docs/security/custom-roles.md b/docs/security/custom-roles.md
new file mode 100644
index 00000000..2d49a51e
--- /dev/null
+++ b/docs/security/custom-roles.md
@@ -0,0 +1,37 @@
+---
+Description: Custom roles for Semaphore platform.
+---
+
+# Custom Roles
+
+If your organization needs more roles where permissions would be assigned with
+higher granularity, you can define custom roles.
+
+### Creating a new role
+
+When defining a custom role, you need to give it a unique name (that does not clash
+with any of the default roles) and select which [permissions](/security/permissions/) will
+its users have. Role inheritance is also allowed, so you can create a new role
+**Sys Admin** that will have all the same permissions as **Developer**, for example,
+plus access to Self hosted agents (`organization.self_hosted.create`). Permissions
+for the Sys Admin role are determined "dynamically", so if you later modify the Developer role
+and add/remove some permissions from it, the Sys Admin role will reflect those
+changes.
+
+**TODO** Picture of UI for creating new role, when the ui gets made
+
+### Organization role to project role mapping
+
+If there is any role within the organization that needs to have access to all of the
+projects, you can define an "*org-role to project-role mapping*" for it. If you want your
+Sys Admins to have Admin level access to all of the projects, you can say that the Sys Admin role
+maps to the project Admin role.
+
+!!! warning "Note"
+ Custom roles are currently only available on our [enterprise plan](pricing).
+
+!!! info "Default Roles"
+ As an organization that has Custom Roles enabled, you will still have access to the default roles as well.
+
+Do you need Custom roles in order to use Semaphore? Contact us via this [form](/contact)
+
diff --git a/docs/security/permissions.md b/docs/security/permissions.md
new file mode 100644
index 00000000..dc475eda
--- /dev/null
+++ b/docs/security/permissions.md
@@ -0,0 +1,188 @@
+---
+Description: Page containing a list of all permissions within the Semaphore.
+---
+
+# Permissions
+
+This page lists all permissions within the Semaphore system. It will be
+of use when creating custom roles and defining what they can do.
+
+As with the roles, permissions are also divided into **organization-level**
+and **project-level**.
+
+!!! info "Note"
+ Some permissions are not yet part of Semaphore but will be introduced in the near future. Those are marked with **✕**
+
+
+## Organization permissions
+
+
+#### Organization secrets [↗](/essentials/using-secrets/)
+
+`organization.secrets.view`
+Following permissions are related to
+[secrets management](/essentials/using-secrets/#creating-and-managing-secrets).
+`organization.secrets.create`
+`organization.secrets.modify`
+`organization.secrets.delete`
+
+#### Audit logs [↗](/security/audit-logs/)
+
+`organization.audit_logs.view`
+`organization.audit_logs.export` [↗](/security/audit-logs-exporting/)
+`organization.audit_logs.streaming.view` [↗](/security/audit-logs-exporting/#streaming)
+`organization.audit_logs.streaming.manage`
+
+#### Self-hosted agents [↗](/ci-cd-environment/self-hosted-agents-overview/)
+
+`organization.self_hosted_agents.view`
+`organization.self_hosted_agents.create`
+`organization.self_hosted_agents.reset_token`
+`organization.self_hosted_agents.disable`
+`organization.self_hosted_agents.delete`
+
+#### General settings
+
+`organization.general_settings.view`
+`organization.general_settings.modify`
+
+#### Organizational notifications [↗](/essentials/webhook-notifications/)
+
+`organization.notifications.view`
+`organization.notifications.create`
+`organization.notifications.modify`
+`organization.notifications.delete`
+
+#### Organizational pre-flight checks [↗](/essentials/configuring-pre-flight-checks/)
+
+`organization.pre_flight_checks.view`
+`organization.pre_flight_checks.modify`
+
+#### Billing
+
+`organization.plans_and_billing.view`
+`organization.plans_and_billing.modify`
+
+#### Dashboards [↗](/essentials/deployment-dashboards/)
+
+These permissions don't control whether or not you can see deployment pipelines
+defined by the dashboards, but rather if you can access and modify the definition of those
+dashboards using `sem` cli tool like it is shown [here](/essentials/deployment-dashboards/#creating-a-dashboard).
+`organization.dashboards.view`
+`organization.dashboards.create`
+`organization.dashboards.modify`
+`organization.dashboards.delete`
+
+#### Managing people
+
+`organization.people.view`
+`organization.people.invite`
+`organization.people.remove`
+`organization.people.change_role`
+
+#### Role management **✕**
+
+`organization.roles.view`
+`organization.roles.create`
+`organization.roles.remove`
+`organization.roles.modify`
+
+#### Managing how repository access levels map to Semaphore project roles **✕**
+
+`organization.repo_to_role_mappers.view`
+`organization.repo_to_role_mappers.create`
+`organization.repo_to_role_mappers.delete`
+`organization.repo_to_role_mappers.modify`
+
+#### Other permissions
+
+`organization.projects.create`
+`organization.activity_monitor.view`
+
+## Project permissions
+
+
+#### Managing people
+
+`project.people.change_role`
+`project.people.remove`
+`project.people.invite`
+
+#### Accessing/running jobs
+
+`project.job.view`
+`project.job.rerun`
+`project.job.artifacts.view`
+`project.job.artifacts.delete`
+(Grants permissions for [job level](/essentials/artifacts/#job-artifacts) artifacts)
+`project.job.stop`
+Follwing permissions are needed to
+access jobs via `sem` [cli tool](/reference/sem-command-line-tool/#operations).
+`project.job.port_forwarding`
+`project.job.attach`
+`project.job.debug`
+`project.debug`
+
+#### Project level secrets **✕**
+
+`project.secrets.view`
+`project.secrets.create`
+`project.secrets.modify`
+`project.secrets.delete`
+`project.authorized_org_secrets.list`
(List of organization level secrets
+that are whitelisted to be used within the given project)
+
+#### Project notifications **✕**
+
+`project.notifications.view`
+`project.notifications.create`
+`project.notifications.modify`
+`project.notifications.delete`
+
+#### Schedulers [↗](/essentials/schedule-a-workflow-run/)
+
+`project.scheduler.view`
+`project.scheduler.create`
+`project.scheduler.delete`
+`project.scheduler.modify`
+`project.scheduler.run_manually`
+`project.scheduler.deactivate`
+
+#### Workflow
+
+`project.workflow.view`
+`project.workflow.modify`
+`project.workflow.rerun`
+`project.workflow.stop`
+`project.workflow.artifacts.view `
+(Grants permissions for [workflow level](/essentials/artifacts/#workflow-artifacts) artifacts)
+`project.workflow.artifacts.delete`
+
+#### Artifacts [↗](/essentials/artifacts/)
+
+`project.artifacts.delete`
+`project.artifacts.view`
+`project.artifacts.view_settings`
+(Grants permissions for [project level](/essentials/artifacts/#project-artifacts) artifacts)
+`project.artifacts.modify_settings`
+
+#### Project pre-flight checks [↗](essentials/configuring-pre-flight-checks/#project-pre-flight-checks)
+
+`project.pre_flight_checks.view`
+`project.pre_flight_checks.modify`
+
+#### Project insights
+
+`project.insights.view`
+`project.insights.modify`
+
+#### Project settings and other permissions
+
+`project.view`
+`project.delete`
+`project.general_settings.view`
+`project.general_settings.modify`
+`project.repository_info.view`
+`project.repository_info.modify`
+`project.badge.view`
+`project.badge.manage`
diff --git a/mkdocs.yml b/mkdocs.yml
index 14a8d811..15eabcdd 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -233,6 +233,8 @@ nav:
- "User authorization":
- RBAC overview: security/rbac-authorization.md
- Default roles: security/default-roles.md
+ - Custom roles: security/custon-roles.md
+ - Permissions: security/permissions.md
- Repository-to-role mappings: security/repository-to-role-mappings.md
- Score:
- Insights: score/project-insights.md