Organization and workspace roles
AI Hub uses roles to manage members’ permissions across the organization and in shared workspaces.
About roles
Roles can be assigned at the organization level and at the workspace level. Organization roles are assigned to members, whereas workspace roles can be assigned to individual members or groups, which are subsets of organization members.
Organization roles
Organization roles affect access and permissions for tasks performed at the organization level, such as managing organization settings. The following organization roles can be assigned:
-
Member — This role is the default for all organization members. Members have limited administrative permissions and access at the organization level.
-
Admin — Admins have wide-ranging permissions and access, including access to all organization workspaces—both personal and shared—and the ability to perform all administrative tasks. Only admins can assign the admin role. The first organization admin is either designated when an organization is created, or is the member who created the organization.
Minimize the number of admins in an organization. Instead, use workspace roles to grant workspace permissions as needed, and limit such extensive, organization-wide access to only those who need it.
Workspace roles
Workspace roles are granted within shared workspaces and assigned on a workspace-by-workspace basis, meaning someone can have different roles across multiple workspaces. Workspace roles can be assigned to members or to groups, which are subsets of organization members.
Each workspace role includes all permissions from lower-level roles, plus additional capabilities. A role’s permission set and name reflects the job function it supports.
-
Reviewer — Reviews documents or runs that fail validation in assigned workspaces or review queues.
-
Review manager — Oversees reviewers in assigned workspaces or review queues.
-
Tester — Performs accuracy, integration, or user acceptance testing on apps and chatbots.
The tester role can be assigned to support users who need read-only access to investigate issues by viewing runs, logs, and configurations, but don’t need developer permissions. -
Developer — Creates apps to turn unstructured data into insights.
-
Workspace manager — Manages workspace membership and roles. Can also connect workspace-level data sources.
-
Admin — Admins are members of every shared workspace, and retain the admin role in all contexts. Admin is assigned as an organization role.
Role scoping
Roles affect member permissions and feature availability differently depending on the AI Hub context.
Workspaces — Members can only see workspaces they have access to, and their permissions within each workspace depend on their assigned role.
-
Shared workspaces — The workspace role assigned in each specific shared workspace applies. For example, being a workspace manager in one workspace doesn’t grant additional permissions in another.
-
Personal workspaces — All non-admin members have permissions roughly equivalent to the developer role in their own personal workspace. This effective role isn’t assigned and doesn’t count towards determining a member’s highest assigned workspace role.
-
Cross-workspace tasks — Members can only perform tasks between workspaces they can access. For example, while the developer role includes permission to move projects, developers can’t move a project to a workspace they can’t access.
Hub — All members can access the Hub. For workspace-dependent tasks, such as running apps, the interface shows options based on a member’s highest assigned workspace role across all shared workspaces. However, actual task execution is still limited to workspaces where the member has appropriate access. For example, members with reviewer as their highest assigned role across workspaces don’t see the Run app option. Whereas members with mixed reviewer and developer roles can initiate app runs, but only execute runs in a workspace where they have developer access.
Settings — The options a member sees on the settings page are primarily controlled by their organization role, with member having limited access. Some workspace-specific features, such as viewing workspace members lists, are affected by workspace roles.
Permissions overview
The following tables provide an overview of organization and workspace roles and their permissions related to common tasks. While each row is listed as a separate permission, specific permissions can’t be individually granted or restricted. If a member is assigned a given organization or workspace role, they receive all associated permissions. The tasks and permissions listed aren’t comprehensive and instead highlight commonly used or notable functionality.
Organization administration
Organization administration tasks include managing organization members and all organization settings. These tasks are governed by organization roles.
Workspace administration
Workspace administration tasks include managing workspace members and workspace settings. These tasks are governed by workspace roles, with each workspace role applying only to the assigned workspace.
Automation projects and apps
Automation project and app permissions are generally governed by the workspace role in the workspace where the task is initiated. Tasks initiated outside of a workspace, such as running an app in the Hub, are also affected by a member’s highest assigned workspace role across all shared workspaces.
Deployments
For deployment-related permissions, members’ permissions are restricted to the workspaces they’re assigned to. For example, members can’t view deployments created in workspaces they can’t access.
Human review
For human review-related permissions, members’ permissions are restricted to the workspaces they’re assigned to. For example, a workspace manager can’t edit the service-level agreement for a deployment created in a workspace they can’t access.
Conversations and chatbots
Conversations and chatbots are created in personal workspaces, where workspace roles don’t exist, though each member effectively has developer permissions. Personal workspaces can be accessed only by the individual member and admins. There are no role-based limits to accessing and using published chatbots in the Hub.
Assigning roles
Proper role management ensures members have the appropriate level of access to perform their job functions while maintaining security and compliance standards.
Role assignment best practices
When assigning roles, consider the following best practices.
-
Follow the principle of least privilege. Assign the minimum role required for members to perform their job functions effectively. Avoid assigning higher roles “just in case”.
-
Minimize the number of admins. Reserve the admin role for platform administrators only. The workspace manager role meets most administrative needs.
-
Control edit access in production workspaces. Carefully manage access to production workflows in general, and avoid assigning the developer role or higher unless specifically needed to troubleshoot production issues.
-
Use groups to manage team-based role assignments.
Be wary of adding members to a workspace individually and as part of a group. If a member is added to a workspace twice, they can have conflicting roles and the highest role applies. -
Regularly review and audit role assignments for members, groups, and service accounts.
Assigning organization roles
Admins can assign organization roles, including assigning other organization admins.
-
In the header, click the initials icon and select Settings.
-
Click Members to open the organization members list.
-
In the member’s row, click the Edit icon.
-
Select a new role from the Role field.
-
Click Save.
is_admin
attribute. If assigning admins this way, assigning the admin role manually isn’t blocked. However, the is_admin
attribute takes precedence and the member’s admin status resets at next login based on how the attribute is defined.Assigning workspace roles
Users with workspace manager permissions or higher can assign workspace roles, including assigning other workspace managers. Workspace roles can be assigned to individual workspace members or to groups that have been added to the workspace. Roles assigned to a group apply to all group members.
-
In the header, click the initials icon and select Settings.
-
Click Workspaces, then select the workspace.
-
In the member or group’s row, click the Edit icon.
-
Click the role dropdown, then select a role.
-
Click Save.
Or, assign workspace roles in Workspaces.
-
In Workspaces, select the workspace.
-
Click Members, then locate the member or group in the members list.
-
Click the role dropdown, then select a role.