RBAC (Role-Based Access Control) is an Enterprise feature for managing workspace-level permissions. If you are interested in this feature, contact our sales team. Other plans default to using the Admin role for all users.
- One organization role that applies across the entire organization (separate from RBAC, available on all plans).
- One workspace role per workspace they’re a member of (requires Enterprise RBAC feature).
For a comprehensive reference table of workspace-level and organization-level operations and which roles can perform them, refer to the Workspace Operations Reference.
Role types
Organization roles
Organization roles are distinct from the RBAC feature and are used to manage organization-wide capabilities. These roles are available on all plans.| Role | Description |
|---|---|
| Organization Admin | Full permissions to manage organization configuration, users, billing, and workspaces |
| Organization User | Read access to organization information and ability to create personal access tokens |
| Organization Viewer | Read-only access to organization information |
Workspace roles
Workspace roles are part of the Enterprise RBAC feature and control what users can do with resources inside a workspace:| Role | Description |
|---|---|
| Workspace Admin | Full permissions for all resources and ability to manage workspace |
| Workspace Editor | Full permissions for most resources, cannot manage workspace settings or delete certain resources |
| Workspace Viewer | Read-only access to all workspace resources |
Organization roles
Organization roles are distinct from the RBAC feature and are available on all plans. They control organization-wide capabilities and workspace membership. For more details, see the Administration Overview.
Organization Admin
Description: Full permissions to manage all organization configuration, users, billing, and workspaces. Permissions:organization:manage- Full control over organization settings, SSO, security, billingorganization:read- Read access to all organization informationorganization:pats:create- Create organization-level personal access tokens
- Manage organization settings and branding
- Configure SSO and authentication methods
- Manage billing and subscription plans
- Create and delete workspaces
- Invite and remove organization members
- Assign organization and workspace roles to members
- Create and manage custom roles
- Configure RBAC and ABAC (Attribute-Based Access Control) policies
- Manage organization-level API keys and service accounts
- View organization usage and analytics
Organization User
Description: Read access to organization information and ability to create personal access tokens. Permissions:organization:read- Read access to organization informationorganization:pats:create- Create personal access tokens
- View organization members and workspaces
- View organization settings (but not modify)
- Create personal access tokens for API access
- Join workspaces they’re invited to
- Cannot modify organization settings
- Cannot manage billing or subscriptions
- Cannot create or delete workspaces
- Cannot invite or remove organization members
- Cannot manage roles or permissions
Organization Viewer
Description: Read-only access to organization information. Permissions:organization:read- Read access to organization information
- View organization members and workspaces
- View organization settings
- Cannot modify anything at the organization level
- Cannot create personal access tokens
- Cannot manage billing, workspaces, or members
Workspace roles
RBAC (Role-Based Access Control) is a feature that is only available to Enterprise customers. If you are interested in this feature, contact our sales team. Other plans default to using the Admin role for all users.
Workspace Admin
Description: Default role with full permissions for all resources and ability to manage workspace. Permissions:- All create, read, update, delete, and share permissions for all resource types
- Workspace management capabilities
Workspace Editor
Description: Default role with full permissions for most resources. Cannot manage workspace settings or delete certain critical resources. Key Differences from Admin:- Cannot delete annotation queues
- Cannot create or delete projects (can only read and update)
- Cannot delete datasets
- Cannot share datasets
- Cannot delete deployments
- Cannot delete runs
- Cannot manage workspace settings (add/remove members, change workspace name, etc.)
Workspace Viewer
Description: Read-only access to all workspace resources. Permissions: Read-only access to all resource types.For step-by-step instructions on assigning workspace roles to users, refer to the User Management guide.
Custom roles
Creating custom roles is available for organizations on the Enterprise plan.
Creating custom roles
Custom roles are created at the organization level and can be assigned to users in any workspace within that organization. Steps:- Navigate to Organization Settings > Roles.
- Click Create Custom Role.
- Select the permissions to include in the role.
- Assign the custom role to users in specific workspaces.
- Custom roles can only be created and managed by Organization Admins.
- Custom roles are organization-specific (not transferable between organizations).
- Each custom role can have any combination of workspace-level permissions.
- Custom roles cannot have organization-level permissions.
- Users can have different roles (including custom roles) in different workspaces.
Connect these docs programmatically to Claude, VSCode, and more via MCP for real-time answers.