Organization and workspace roles

Commercial & Enterprise

AI Hub uses roles to manage members’ permissions across the organization and in shared workspaces.

About roles

Roles can be assigned at the organization level and at the workspace level. Organization roles are assigned to members, whereas workspace roles can be assigned to individual members or groups, which are subsets of organization members.

A third type of AI Hub role, group roles, also exists. However, group roles offer no additional permissions outside of the group context and don’t inherently affect organization or workspace permissions. For example, a group member’s workspace permissions are conferred only by the group’s assigned workspace role.

Organization roles

Organization roles affect access and permissions for tasks performed at the organization level, such as managing organization settings. The following organization roles can be assigned:

  • Member — This role is the default for all organization members. Members have limited administrative permissions and access at the organization level.

  • Admin — Admins have wide-ranging permissions and access, including access to all organization workspaces—both personal and shared—and the ability to perform all administrative tasks. Only admins can assign the admin role. The first organization admin is either designated when an organization is created, or is the member who created the organization.

    Minimize the number of admins in an organization. Instead, use workspace roles to grant workspace permissions as needed, and limit such extensive, organization-wide access to only those who need it.

Workspace roles

Workspace roles are granted within shared workspaces and assigned on a workspace-by-workspace basis, meaning someone can have different roles across multiple workspaces. Workspace roles can be assigned to members or to groups, which are subsets of organization members.

Each workspace role includes all permissions from lower-level roles, plus additional capabilities. A role’s permission set and name reflects the job function it supports.

  • Reviewer — Reviews documents or runs that fail validation in assigned workspaces or review queues.

  • Review manager — Oversees reviewers in assigned workspaces or review queues.

  • Tester — Performs accuracy, integration, or user acceptance testing on apps and chatbots.

    The tester role can be assigned to support users who need read-only access to investigate issues by viewing runs, logs, and configurations, but don’t need developer permissions.
  • Developer — Creates apps to turn unstructured data into insights.

  • Workspace manager — Manages workspace membership and roles. Can also connect workspace-level data sources.

  • Admin — Admins are members of every shared workspace, and retain the admin role in all contexts. Admin is assigned as an organization role.

Role scoping

Roles affect member permissions and feature availability differently depending on the AI Hub context.

Workspaces — Members can only see workspaces they have access to, and their permissions within each workspace depend on their assigned role.

  • Shared workspaces — The workspace role assigned in each specific shared workspace applies. For example, being a workspace manager in one workspace doesn’t grant additional permissions in another.

  • Personal workspaces — All non-admin members have permissions roughly equivalent to the developer role in their own personal workspace. This effective role isn’t assigned and doesn’t count towards determining a member’s highest assigned workspace role.

  • Cross-workspace tasks — Members can only perform tasks between workspaces they can access. For example, while the developer role includes permission to move projects, developers can’t move a project to a workspace they can’t access.

Hub — All members can access the Hub. For workspace-dependent tasks, such as running apps, the interface shows options based on a member’s highest assigned workspace role across all shared workspaces. However, actual task execution is still limited to workspaces where the member has appropriate access. For example, members with reviewer as their highest assigned role across workspaces don’t see the Run app option. Whereas members with mixed reviewer and developer roles can initiate app runs, but only execute runs in a workspace where they have developer access.

Settings — The options a member sees on the settings page are primarily controlled by their organization role, with member having limited access. Some workspace-specific features, such as viewing workspace members lists, are affected by workspace roles.

Permissions overview

The following tables provide an overview of organization and workspace roles and their permissions related to common tasks. While each row is listed as a separate permission, specific permissions can’t be individually granted or restricted. If a member is assigned a given organization or workspace role, they receive all associated permissions. The tasks and permissions listed aren’t comprehensive and instead highlight commonly used or notable functionality.

There’s no difference in permissions when using the user interface compared to the API and SDK. If a member’s role confers a permission in the interface, they can perform the analogous task using the API or SDK. All organization members can create OAuth tokens for use with the AI Hub API.

Organization administration

Organization administration tasks include managing organization members and all organization settings. These tasks are governed by organization roles.

PermissionMemberAdmin
Add, manage, and remove organization members, including assigning organization roles.-
View organization members list.
Access all organization workspaces, including personal workspaces.-
Create, manage, and delete shared workspaces, including assigning the first workspace manager.-
Create, manage, and delete groups.-
Create, manage, and delete service accounts.-
Create, manage, and delete secrets.-
Enable and disable preview features.-
View consumption unit usage details.-
View and manage the organization’s subscription and billing, including viewing invoices.-
Connect, update, and remove organization-level data connections.-
Assign the organization default drive.-

Workspace administration

Workspace administration tasks include managing workspace members and workspace settings. These tasks are governed by workspace roles, with each workspace role applying only to the assigned workspace.

PermissionReviewerReview managerTesterDeveloperWorkspace managerAdmin
Add, manage, and remove workspace members, including assigning workspace roles.----
View members lists in assigned workspaces.-
Connect, update, and remove workspace-level data connections.----
View workspace-level data connections, see the workspace Data tab.---
Assign workspace default drives.-----

Automation projects and apps

Automation project and app permissions are generally governed by the workspace role in the workspace where the task is initiated. Tasks initiated outside of a workspace, such as running an app in the Hub, are also affected by a member’s highest assigned workspace role across all shared workspaces.

PermissionReviewerReview managerTesterDeveloperWorkspace managerAdmin
Create, edit, copy, move, and delete projects.---
View projects and their configuration.--
Create apps from projects in the workspace.---
Edit and delete other members’ shared apps.-----
Create and delete ground truth datasets for accuracy testing.--
Edit ground truth datasets.
Create and run accuracy tests, view accuracy metrics.--
Run apps and view runs and run logs.---
Delete app runs.---

Deployments

For deployment-related permissions, members’ permissions are restricted to the workspaces they’re assigned to. For example, members can’t view deployments created in workspaces they can’t access.

PermissionReviewerReview managerTesterDeveloperWorkspace managerAdmin
View deployments and their configuration.--
Create and edit deployments.---
Delete deployments.----
Run deployments and view runs and run logs.--
Delete deployment runs.---
View deployment metrics.--

Human review

For human review-related permissions, members’ permissions are restricted to the workspaces they’re assigned to. For example, a workspace manager can’t edit the service-level agreement for a deployment created in a workspace they can’t access.

PermissionReviewerReview managerTesterDeveloperWorkspace managerAdmin
Review assigned documents.
View all document runs in workspace in review.-
Assign reviews and set SLAs.-
View review metrics.-
Edit review settings in deployments.---

Conversations and chatbots

Conversations and chatbots are created in personal workspaces, where workspace roles don’t exist, though each member effectively has developer permissions. Personal workspaces can be accessed only by the individual member and admins. There are no role-based limits to accessing and using published chatbots in the Hub.

PermissionMemberAdmin
Create, edit, and delete conversations in their own personal workspace.
View, edit, and delete conversations in other members’ personal workspaces.-
Create chatbots from conversations in their own personal workspace.
Create chatbots from conversations in other members’ personal workspaces.-
View analytics and feedback for their created chatbot.-
In their personal workspace, members can’t connect workspace-level data sources for use in conversations and chatbots. Members can request admin support if needed.

Assigning roles

Proper role management ensures members have the appropriate level of access to perform their job functions while maintaining security and compliance standards.

Role assignment best practices

When assigning roles, consider the following best practices.

  • Follow the principle of least privilege. Assign the minimum role required for members to perform their job functions effectively. Avoid assigning higher roles “just in case”.

  • Minimize the number of admins. Reserve the admin role for platform administrators only. The workspace manager role meets most administrative needs.

  • Control edit access in production workspaces. Carefully manage access to production workflows in general, and avoid assigning the developer role or higher unless specifically needed to troubleshoot production issues.

  • Use groups to manage team-based role assignments.

    Be wary of adding members to a workspace individually and as part of a group. If a member is added to a workspace twice, they can have conflicting roles and the highest role applies.
  • Regularly review and audit role assignments for members, groups, and service accounts.

Assigning organization roles

Admins can assign organization roles, including assigning other organization admins.

  1. In the header, click the initials icon and select Settings.

  2. Click Members to open the organization members list.

  3. In the member’s row, click the Edit icon.

  4. Select a new role from the Role field.

  5. Click Save.

To update roles for multiple members, select a list of members, then click Actions > Update roles.
Enterprise Enterprise organizations with a single-tenant environment using SAML-based single sign-on can define organization admins through their identity provider by passing the is_admin attribute. If assigning admins this way, assigning the admin role manually isn’t blocked. However, the is_admin attribute takes precedence and the member’s admin status resets at next login based on how the attribute is defined.

Assigning workspace roles

Users with workspace manager permissions or higher can assign workspace roles, including assigning other workspace managers. Workspace roles can be assigned to individual workspace members or to groups that have been added to the workspace. Roles assigned to a group apply to all group members.

  1. In the header, click the initials icon and select Settings.

  2. Click Workspaces, then select the workspace.

  3. In the member or group’s row, click the Edit icon.

  4. Click the role dropdown, then select a role.

  5. Click Save.

To update roles for multiple members, select a list of members, then click Actions > Update roles.

Or, assign workspace roles in Workspaces.

  1. In Workspaces, select the workspace.

  2. Click Members, then locate the member or group in the members list.

  3. Click the role dropdown, then select a role.