Organization and workspace roles

Commercial & Enterprise

AI Hub uses roles to manage members’ permissions across the organization and in shared workspaces.

About organization and workspace roles

Roles and their associated permissions can be assigned at the organization level and at the workspace level. Organization roles affect access and permissions for tasks performed at the organization level, such as managing organization settings. The following organization roles can be assigned:

  • Member — This role is the default for all organization members. Members have limited administrative permissions and access at the organization level.

  • Admin — Admins have wide-ranging permissions and access, including access to all organization workspaces—both personal and shared—and the ability to perform all administrative tasks. Admins are also included in all workspace members lists, with the Admin role. Only admins can assign other members as admins. The first organization admin is either designated when an organization is created, or is the member who created the organization.

    Minimize the number of admins in an organization. Instead, use workspace roles to grant workspace permissions as needed, and limit such extensive, organization-wide access to only those who need it.

Workspace roles are granted within the context of workspaces and assigned on a workspace-by-workspace basis, meaning someone can have a different workspace role across multiple workspaces. Workspace roles can be assigned to members or to groups, which are subsets of organization members. The following workspace roles can be assigned:

  • Developer — This role is the default for all workspace members. The Developer role has the fewest administrative permissions at the workspace level.

  • Workspace manager — Workspace managers have greater administrative permissions, though these permissions are limited to the workspace they’re assigned to manage.

Within groups, group roles can be assigned. However, a group role offers no additional permissions outside of the group context. Any permissions a group member has within a workspace are conferred by assigning the group a workspace role.

Permissions overview

The following tables provide an overview of organization and workspace roles and their permissions related to common tasks. (Group roles aren’t included because they confer no permissions outside of the group context.) While each row is listed as a separate permission, specific permissions can’t be individually granted or restricted. If a member is assigned a given organization or workspace role, they’re granted all associated permissions. The tasks and permissions listed aren’t comprehensive and instead highlight commonly used or notable functionality.

There’s no difference in permissions when using the user interface compared to the API and SDK. If a member’s role confers a permission in the interface, they can perform the analogous task using the API or SDK. All organization members can create OAuth tokens for use with the AI Hub API.

Organization administration

Organization administration tasks include managing organization members and all organization settings. These tasks are governed by organization roles.

PermissionAdminMember
Access all organization workspaces, including personal workspaces.✓-
Create, manage, and delete shared workspaces, including assigning the first workspace manager.✓-
Add, manage, and remove organization members, including assigning organization roles.✓-
Create, manage, and delete groups.✓-
Create, manage, and delete service accounts.✓-
Create, manage, and delete secrets.✓-
Enable and disable preview features.✓-
View usage details.✓-
View and manage the organization’s subscription and billing, including viewing invoices.✓-
Connect, update, and remove organization-level data connections.✓-
Assign the organization default drive.✓-

Workspace administration

Workspace administration tasks include managing workspace members and all workspace settings. These tasks are governed by workspace roles, with each workspace role applying only to the assigned workspace.

PermissionAdminWorkspace managerDeveloper
Add, manage, and remove workspace members, including assigning workspace roles.All workspacesManaged workspaces only-
View members lists in assigned workspaces.All workspaces✓✓
Connect, update, and remove workspace-level data connections.✓✓✓
Assign workspace default drives.✓--

Automation projects and apps

For automation project-related permissions, members’ permissions are restricted to the workspaces they’re assigned to. For example, members can’t create projects in or move projects to workspaces they can’t access. In general, app-related permissions aren’t bound by workspace access as, after an app is published and shared with the organization, any member can access and run it.

PermissionAdminWorkspace managerDeveloper
Create, edit, copy, move, and delete projects.✓✓✓
View projects and their configuration.✓✓✓
Create apps from projects in the workspace.✓✓✓
Edit and delete other members’ shared apps.✓--
Create, edit, and delete ground truth datasets for accuracy testing.✓✓✓
Create and run accuracy tests, and view accuracy metrics.✓✓✓
Run apps and view runs and run logs.✓✓✓
Delete app runs.✓✓✓

Deployments

For deployment-related permissions, members’ permissions are restricted to the workspaces they’re assigned to. For example, members can’t view deployments created in workspaces they can’t access.

PermissionAdminWorkspace managerDeveloper
Create, edit, and delete deployments.✓✓-
View deployments and their configuration.✓✓✓
Run deployments and view runs and run logs.✓✓✓
Delete deployment runs.✓✓✓
View deployment metrics.✓✓✓

Human review

For human review-related permissions, members’ permissions are restricted to the workspaces they’re assigned to. For example, a workspace manager can’t edit the service-level agreement for a deployment created in a workspace they can’t access.

PermissionAdminWorkspace managerDeveloper
View all review tasks.✓✓✓
Assign reviews.✓✓-
Complete any reviews.✓✓-
Complete only unassigned or their assigned reviews.--✓
View review metrics.✓✓✓
Edit review settings in deployments.✓✓-

Conversations and chatbots

For conversation-related permissions, as conversations can be created only in personal workspaces, most functionality isn’t available to other organization members. Admins, however, can access all personal workspaces and view conversations and other assets within. For chatbot-related permissions, most features and functionality beyond using the chatbot are limited to the chatbot creator. For example, regardless of role, organization members can’t view analytics or feedback for chatbots created by another member.

PermissionAdminWorkspace managerDeveloper
Create, edit, and delete conversations in their own personal workspace.✓✓✓
View, edit, and delete conversations in other members’ personal workspaces.✓--
Create chatbots from conversations in their own personal workspace.✓✓✓
Create chatbots from conversations in other members’ personal workspaces.✓--

Assigning organization roles

Admins can assign organization roles, including assigning other organization admins.

  1. In the header, click the initials icon and select Settings.

  2. Click Members to open the organization members list.

  3. In the member’s row, click the Edit icon.

  4. Select a new role from the Role field.

  5. Click Save.

To update roles for multiple members, select a list of members, then click Actions > Update roles.
Enterprise Enterprise organizations with a single-tenant environment using SAML-based single sign-on can define organization admins through their identity provider by passing the is_admin attribute. If assigning admins this way, you can still manually assign the Admin role. However, the is_admin attribute takes precedence and the member’s admin status resets at next login based on how the attribute is defined.

Assigning workspace roles

Admins and workspace managers can assign workspace roles, including assigning other workspace managers. Workspace roles can be assigned to individual workspace members or to groups that have been assigned to the workspace. Roles assigned to a group apply to all group members.

  1. In the header, click the initials icon and select Settings.

  2. Click Workspaces, then select the workspace.

  3. In the member or group’s row, click the Edit icon.

  4. Click the role dropdown, then select a role.

  5. Click Save.

To update roles for multiple members, select a list of members, then click Actions > Update roles.

Or, assign workspace roles in Workspaces.

  1. In Workspaces, select the workspace.

  2. Click Members, then locate the member or group in the members list.

  3. Click the role dropdown, then select a role.