RBAC (Role-Based Access Control) is an Enterprise feature for managing workspace-level permissions. If you are interested in this feature, contact our sales team. Other plans default to using the Admin role for all users.
- One organization role that applies across the entire organization (separate from workspace RBAC).
- The Organization User and Organization Viewer roles are only available in organizations on plans with multiple workspaces. In organizations limited to a single workspace, all users have the Organization Admin role.
- One workspace role per workspace they’re a member of (requires Enterprise RBAC feature).
For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the Organization and workspace reference.
Role types
Organization roles
Organization roles are distinct from the workspace RBAC feature and are used to manage organization-wide capabilities. The roles are system-defined and cannot be modified or extended. These roles are available in multi-workspace organizations on Plus and Enterprise plans.| Role | Description |
|---|---|
| Organization Admin | Full permissions to manage organization configuration, users, billing, and workspaces |
| Organization User | Read access to organization information and ability to create personal access tokens |
| Organization Viewer | Read-only access to organization information |
In organizations limited to a single workspace, all users are Organization Admins.
Organization Admin
Description: Full permissions to manage all organization configuration, users, billing, and workspaces. Permissions:organization:manage- Full control over organization settings, SSO, security, billingorganization:read- Read access to all organization informationorganization:pats:create- Create organization-level personal access tokens
- Manage organization settings and branding
- Configure SSO and authentication methods
- Manage billing and subscription plans
- Create and delete workspaces
- Invite and remove organization members
- Assign organization and workspace roles to members
- Create and manage custom roles
- Configure RBAC and ABAC (Attribute-Based Access Control) policies (Note that ABAC is in private preview)
- View organization usage and analytics
Organization User
Description: Read access to organization information and ability to create personal access tokens. Permissions:organization:read- Read access to organization informationorganization:pats:create- Create personal access tokens
- View organization members and workspaces
- View organization settings (but not modify)
- Create personal access tokens for API access
- Join workspaces they’re invited to
- Cannot modify organization settings
- Cannot manage billing or subscriptions
- Cannot create or delete workspaces
- Cannot invite or remove organization members
- Cannot manage roles or permissions
Organization Viewer
Description: Read-only access to organization information. Permissions:organization:read- Read access to organization information
- View organization members and workspaces
- View organization settings
- Cannot modify anything at the organization level
- Cannot create personal access tokens
- Cannot manage billing, workspaces, or members
Workspace roles
Workspace roles are part of the Enterprise RBAC feature and control what users can do with resources inside a workspace:| Role | Description |
|---|---|
| Workspace Admin | Full permissions for all resources and ability to manage workspace |
| Workspace Editor | Full permissions for most resources, cannot manage workspace settings or delete certain resources |
| Workspace Viewer | Read-only access to all workspace resources |
RBAC (Role-Based Access Control) is a feature that is only available to Enterprise customers. If you are interested in this feature, contact our sales team. Other plans default to using the Admin role for all users.
Workspace Admin
Description: Role with full permissions for all resources and ability to manage workspace. Permissions:- All create, read, update, delete, and share permissions for all resource types
- Workspace management capabilities
Workspace Editor
Description: Role with full permissions for most resources. Cannot manage workspace settings or delete certain critical resources. Key Differences from Admin:- Cannot delete runs
- Cannot manage workspace settings (add/remove members, change workspace name, etc.)
Workspace Viewer
Description: Read-only access to all workspace resources. Permissions: Read-only access to all resource types. For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the Organization and workspace reference.For step-by-step instructions on assigning workspace roles to users, refer to the User Management guide.
Custom roles
Creating custom roles is available for organizations on the Enterprise plan.
Creating custom roles
Custom roles are created at the organization level and can be assigned to users in any workspace within that organization. Steps:- Navigate to Organization Settings > Roles.
- Click Create Custom Role.
- Select the permissions to include in the role.
- Assign the custom role to users in specific workspaces.
- Custom roles can only be created and managed by Organization Admins.
- Custom roles are organization-specific (not transferable between organizations).
- Each custom role can have any combination of workspace-level permissions.
- Custom roles cannot have organization-level permissions.
- Users can have different roles (including custom roles) in different workspaces.
Connect these docs programmatically to Claude, VSCode, and more via MCP for real-time answers.