Assigning roles

Commercial & Enterprise

AI Hub uses roles to manage members’ permissions across the organization and in shared workspaces.

Organization and workspace roles

Roles and their associated permissions can be assigned at the organization level and at the workspace level. At the organization level, there are two possible roles: Member and Admin. At the workspace level, there is an additional role, Workspace manager, that grants workspace-specific permissions.

Organization roles apply across the organization. Workspace roles apply only in the context of the workspace in which they’re assigned. Workspace roles can be assigned to members or to groups, which are subsets of organization members.

Other notes about each role include:

  • Member: This role is the default for all organization members. The Member role is inherited through all workspaces to which the member has access, unless otherwise assigned a workspace-specific role. Members have the fewest administrative permissions.

  • Workspace manager: This role is assigned at the workspace level and appears only in a workspace members list, as Manager. At the organization level, workspace managers still have the Member role. Workspace managers’ additional permissions are limited to the workspace they’re assigned to manage.

  • Admin: The Admin role is assigned at the organization level and inherited into all workspaces. Admins have wide-ranging permissions and access, including access to all organization workspaces—both personal and shared—and the ability to perform all administrative tasks. Only admins can assign other members as admins. The first organization admin is either designated when an organization is created for you, or is the member who created the organization.

    Minimize the number of admins in an organization. Instead, use workspace roles to grant workspace permissions as needed, and limit such extensive, organization-wide access to only those who need it.
Within groups, group roles can be assigned. However, a group role offers no additional permissions outside of the group context. Any permissions a group member has within a workspace are conferred by assigning the group a workspace role.

Permissions overview

The following tables provide an overview of organization and workspace roles and their permissions related to common tasks. (Group roles aren’t included because they confer no permissions outside of the group context.) While each row is listed as a separate permission, specific permissions can’t be individually granted or restricted. If a member is assigned a given organization or workspace role, they’re granted all associated permissions. The tasks and permissions listed aren’t comprehensive and instead highlight commonly used or notable functionality.

There’s no difference in permissions when using the user interface compared to the API and SDK. If a member’s role confers a permission in the interface, they can perform the analogous task using the API or SDK.

Organization, workspace, and member management

Admins can perform all administrative tasks in the organization. Members and workspace managers have limited administrative capabilities, with any permissions being restricted to the context of their assigned workspaces.

PermissionAdminWorkspace managerMember
Access all organization workspaces, including personal workspaces.
Create, manage, and delete shared workspaces, including assigning the first workspace manager.
Add, manage, and remove organization members, including assigning organization roles.
Add, manage, and remove workspace members, including assigning workspace roles.All workspacesManaged workspaces only
View members lists in assigned workspaces.All workspaces
Create, manage, and delete groups.
Create, manage, and delete service accounts.
Create, manage, and delete secrets.
Enable and disable preview features.
View usage details.
View and manage the organization’s subscription and billing, including viewing invoices.

Data sources

For data source-related permissions, members’ and workspace managers’ permissions are restricted to the workspaces they’re assigned to. For example, members can’t connect workspace drives in workspaces they can’t access.

PermissionAdminWorkspace managerMember
Connect, update, and remove organization drives.
Assign the organization default drive.
Connect, update, and remove workspace drives.
Assign workspace default drives.
Connect, update, and remove mailboxes.

Build projects and apps

For Build project-related permissions, members’ and workspace managers’ permissions are restricted to the workspaces they’re assigned to. For example, members can’t create projects in or move projects to workspaces they can’t access. In general, app-related permissions aren’t bound by workspace access as, after an app is published and shared with the organization, any member can access and run it.

PermissionAdminWorkspace managerMember
Create, edit, copy, move, and delete projects.
View projects and their configuration.
Create apps from projects in the workspace.
Edit and delete other members’ shared apps.
Create, edit, and delete ground truth datasets for accuracy testing.
Create and run accuracy tests, and view accuracy metrics.
Run apps and view runs and run logs.
Delete app runs.

Deployments

For deployment-related permissions, members’ and workspace managers’ permissions are restricted to the workspaces they’re assigned to. For example, members can’t view deployments created in workspaces they can’t access.

PermissionAdminWorkspace managerMember
Create, edit, and delete deployments.
View deployments and their configuration.
Run deployments and view runs and run logs.
Delete deployment runs.
View deployment metrics.

Human review

For human review-related permissions, members’ and workspace managers’ permissions are restricted to the workspaces they’re assigned to. For example, a workspace manager can’t edit the service-level agreement for a deployment created in a workspace they can’t access.

PermissionAdminWorkspace managerMember
View all review tasks.
Assign reviews.
Complete any reviews.
Complete only unassigned or their assigned reviews.
View review metrics.
Edit review settings in deployments.

Converse and chatbots

For Converse-related permissions, as conversations can be created only in personal workspaces, most functionality isn’t available to other organization members. Admins, however, can access all personal workspaces and view conversations and other assets within. For chatbot-related permissions, most features and functionality beyond using the chatbot are limited to the chatbot creator. For example, regardless of role, organization members can’t view analytics or feedback for chatbots created by another member.

PermissionAdminWorkspace managerMember
Create, edit, and delete conversations in their own personal workspace.
View, edit, and delete conversations in other members’ personal workspaces.
Create chatbots from conversations in their own personal workspace.
Create chatbots from conversations in other members’ personal workspaces.

Assigning organization roles

Admins can assign organization roles, including assigning other organization admins.

  1. In the header, click the initials icon and select Settings.

  2. Click Members to open the organization members list.

  3. In the member’s row, click the Edit icon.

  4. Select a new role from the Role field.

  5. Click Save.

To update roles for multiple members, select a list of members, then click Actions > Update roles.
Enterprise Enterprise organizations with a single-tenant environment using SAML-based single sign-on can define organization admins through their identity provider by passing the is_admin attribute. If assigning admins this way, you can still manually assign the Admin role. However, the is_admin attribute takes precedence and the member’s admin status resets at next login based on how the attribute is defined.

Assigning workspace roles

Admins and workspace managers can assign workspace roles, including assigning other workspace managers. Workspace roles can be assigned to individual workspace members or to groups that have been assigned to the workspace. Roles assigned to a group apply to all group members.

  1. In the header, click the initials icon and select Settings.

  2. Click Workspaces, then select the workspace.

  3. In the member or group’s row, click the Edit icon.

  4. Click the role dropdown, then select a role.

  5. Click Save.

To update roles for multiple members, select a list of members, then click Actions > Update roles.

Or, assign workspace roles in Workspaces.

  1. In Workspaces, select the workspace.

  2. Click Members, then locate the member or group in the members list.

  3. Click the role dropdown, then select a role.

Was this page helpful?