The roles and scopes you can assign your users and/or API keys differ depending on your account plan:
With the Lite plan, users and/or API keys you add are automatically assigned the SecOps role in the context of the Global (account) scope.
With the Pro plan, you can select a built-in role for your users and/or API keys, but they will always have that role in the context of the Global (account) scope.
With the Enterprise plan, you can select a built-in role for your users and/or API keys or create your own custom roles, based on selected permissions; as for the scope, it can be Global (account), one or more Teams, or one or more Targets.