Control what users can do across Agent Platform by assigning roles that define module-level permissions and access levels.
Role Management (in Settings > Users Management > Role Management) implements role-based access control (RBAC) for accounts, tools, and agentic apps. Every user must have a role. When you invite a user, assign a role that matches their responsibilities. You can reassign roles at any time.
Key points:
- Account creator → automatically assigned Master Admin (highest account-level access).
- Tool creator → automatically assigned Tool Admin.
- App creator → automatically assigned App Owner.
- New users get the Member role by default.
Key Concepts
Roles
A role groups users by job function to streamline permission management. Agent Platform supports two role categories:
| Category | Description |
|---|
| System roles | Built-in, preset permissions. Cannot be modified or deleted. |
| Custom roles | Admin-defined roles with configurable permissions. Applies to Account and Tool types only. |
Role Types
Role type defines the scope of a role—what modules and actions it governs.
| Role Type | Assigned When | Governs |
|---|
| Account | User joins the account | Users, integrations, security settings |
| Tool | User is invited to a tool | Tool configurations and deployments |
| App | User is invited to an agentic app | App features, configurations, and deployments |
Access Levels
| Level | What the user can do |
|---|
| Full | View, add, edit, and delete |
| Custom | View, add, and edit (no delete) |
| View | View only |
| No Access | Cannot access the module |
System Roles
System roles have preset permissions and cannot be modified or deleted. To customize a system role’s permissions, duplicate it as a custom role.
Account Roles
| Role | Description |
|---|
| Master Admin | Full control over all Platform features: models, tools, integrations, users, and billing. Assigned to the account creator. |
| Admin | Full access except model deletion, billing, and connectors. |
| Member | Can create tools, add external models, and modify specific integrations. Default role for new users. |
| Viewer | View-only access across all modules. |
| Role | Description |
|---|
| Tool Admin | Full control over tool management, versioning, sharing, deployment, deletion, configuration, monitoring, and API key creation. Assigned to the tool creator. |
| Tool Manager | All tool permissions except deletion. |
| Tool Editor | Can create versions, deploy, monitor, and export tools. |
| Tool Viewer | View-only access to node details; can generate output. |
App Roles
| Role | Description |
|---|
| App Owner | Full administrative access across all Platform features. Cannot be removed from the system. Assigned to the app creator. |
| App Admin | Full access to most Platform features. Can manage all roles except the App Owner’s permissions. |
| App Developer | Full access to core development features (configurations, tools, guardrails, data). Limited admin access. |
| App Tester | View-only access to most features for observing and testing agents and analytics. Cannot modify production features. |
| App Viewer | Basic view-only access to configurations, tools, guardrails, and simulation. |
Custom Roles
Custom roles apply to Account and Tool role types only. Use them to grant only the permissions a specific user needs.
Example: A “Banking Tool Conversation Moderator” role with full access to guardrail configuration but no access to create or deploy tools.
Rules:
- Custom roles appear in the invitation dropdown and can be assigned to invited users.
- You cannot delete a custom role that is assigned to active users or included in a pending invitation. Reassign or remove those users first.
Module-wise Permissions
The tables below show default permissions for each role. Yes = access granted; No = no access.
Admin Role Permissions
| Module | Permission | Master Admin | Admin | Member | Viewer |
|---|
| Tools | Create a Tool | Yes | Yes | Yes | No |
| Tool Import | Yes | Yes | Yes | No |
| Models | Access | Full | Custom | Custom | View |
| Add an external model | Yes | Yes | Yes | No |
| Create a custom model / fine-tune | Yes | Yes | No | No |
| Add open-source model | Yes | Yes | No | No |
| Manage Deployment (deploy/undeploy/redeploy) | Yes | Yes | No | No |
| Create or Delete an API Key | Yes | Yes | No | No |
| Export Model | Yes | Yes | No | No |
| Delete Model | Yes | No | No | No |
| Model Configuration | Yes | Yes | No | No |
| Prompts | Access to a Prompt | Yes | Yes | Yes | Yes |
| Create an Experiment | Yes | Yes | Yes | No |
| Access to Settings | Full | Custom | Custom | No Access |
| Access to guardrails (account level) | Yes | Yes | Yes | Yes |
| Access to Integrations | Full | Full | Custom | View |
| Integrations | Access | Full | Full | Custom | View |
| Create an Integration | Yes | Yes | Yes | No |
| Update an Integration | Yes | Yes | Yes | No |
| Test an Integration | Yes | Yes | Yes | No |
| Disable an Integration | Yes | Yes | Yes | No |
| Delete an Integration | Yes | Yes | Yes | No |
| Users Management | Access | Full | Full | No Access | No Access |
| Invite User (email or import) | Yes | Yes | No | No |
| Bulk Import Users | Yes | Yes | No | No |
| Assign/Revoke system roles; manage profile and status | Yes | Yes | No | No |
| Groups | Yes | Yes | No | No |
| Enrolment | Yes | Yes | No | No |
| Directory Sync | Yes | Yes | No | No |
| Manage Tool Roles (create/edit custom, assign/revoke) | Yes | Yes | No | No |
| Manage Admin Roles (create/edit custom, assign/revoke) | Yes | Yes | No | No |
| Remove Users | Yes | Yes | No | No |
| Manage User Settings (profile fields) | Yes | Yes | No | No |
| Security and Control | Access | Yes | Yes | No | No |
| Create API App | Yes | Yes | No | No |
| Update API App | Yes | Yes | No | No |
| Delete API App | Yes | No | No | No |
| Create or Delete an API Key | Yes | Yes | No | No |
| Monitoring | All actions | Yes | Yes | No | No |
| Billing | Plans, invoices, subscriptions, token usage | Yes | No | No | No |
| Tool Management | All actions | Yes | Yes | No | No |
| Evaluations | Access | Full | Custom | Custom | View |
| Create projects | Yes | Yes | Yes | No |
| Create Global Evaluators | Yes | Yes | Yes | No |
| Edit Global Evaluators | Yes | Yes | No | No |
| Delete Global Evaluators | Yes | No | No | No |
| Custom Scripts | Access | Full | Custom | Custom | View |
| Import New Custom Script | Yes | Yes | Yes | No |
| Deploy/Re-deploy Custom Script | Yes | Yes | Yes | No |
| Undeploy Custom Script | Yes | Yes | No | No |
| Delete Custom Script | Yes | No | No | No |
| Export Project | Yes | Yes | No | No |
| Overview and Other Details | Yes | Yes | Yes | Yes |
| Create/Delete an API Key | Yes | Yes | No | No |
| Module | Permission | Tool Admin | Tool Manager | Tool Editor | Tool Viewer |
|---|
| Tools | Access | Full | Custom | Custom | View |
| Create a Tool Version | Yes | Yes | Yes | No |
| Import as a Version | Yes | Yes | No | No |
| Share/Unshare Tools; Assign/Remove Tool Roles | Yes | Yes | No | No |
| Editing Tool Workflow | Yes | Yes | Yes | No |
| Tool Configurations | Yes | Yes | Yes | No |
| Export Tool | Yes | Yes | Yes | No |
| Monitoring Trace | Yes | Yes | Yes | Yes |
| Log list | Yes | Yes | Yes | No |
| Detailed logs | Yes | Yes | Yes | No |
| Create/Delete an API Key | Yes | Yes | No | No |
| Delete Tool | Yes | No | No | No |
| Deployment | Manage Deployment (deploy/undeploy/redeploy) | Yes | Yes | Yes | No |
| Guardrails | Manage Guardrails Configuration | Yes | Yes | Yes | No |
| Monitoring | Audit Log | Yes | Yes | No | No |
App Role Permissions
Access level summary:
| Feature | App Owner | App Admin | App Developer | App Tester | App Viewer |
|---|
| App Configuration | Full | Full | Full | View | View |
| Agents | Full | Full | Full | View | View |
| Code Tools | Full | Full | Full | View | View |
| Simulate | Full | View | View | View | View |
| Analytics | Full | Full | Full | View | No Access |
| Environments | Full | Full | View | View | No Access |
| API Keys | Full | Full | View | View | No Access |
| Audit Logs | Full | View | View | View | No Access |
| Guardrails | Full | Full | Full | View | View |
| Sharing & Permissions | Full | Full | Full | View | No Access |
| Versions | Full | Full | Full | View | No Access |
| Tools Library | Full | Full | Full | View | View |
| Export Tool | Full | Full | Full | View | No Access |
| Module | Permission | App Owner | App Admin | App Developer | App Tester | App Viewer |
|---|
| App Configurations | View profile, config, versions | Yes | Yes | Yes | Yes | Yes |
| Edit profile, config; Import/Delete app version | Yes | Yes | Yes | No | No |
| Agents | View Agent | Yes | Yes | Yes | Yes | Yes |
| Add/Edit Agent; Link/Unlink Tools; Restore/Create version | Yes | Yes | Yes | No | No |
| Tools | View Tool | Yes | Yes | Yes | Yes | Yes |
| Add/Edit Tool; Create/Edit/Delete Inline Tool | Yes | Yes | Yes | No | No |
| Simulate | Test | Yes | Yes | Yes | Yes | Yes |
| Analytics | View Sessions, Traces, Generations | Yes | Yes | Yes | Yes | No |
| Environments | View Environment | Yes | Yes | Yes | Yes | No |
| Create/Delete Environment; Deploy Version | Yes | Yes | No | No | No |
| API Keys | View List | Yes | Yes | Yes | Yes | No |
| Add Key | Yes | Yes | No | No | No |
| Audit Logs | View Logs | Yes | Yes | Yes | Yes | No |
| Guardrails | View Guardrails | Yes | Yes | Yes | Yes | Yes |
| Add/Edit Guardrails | Yes | Yes | Yes | No | No |
| Sharing & Permissions | View Users | Yes | Yes | Yes | Yes | No |
| Add Users; Update Role | Yes | Yes | Yes | No | No |
Evaluation Role Permissions
| Permission | Full | Edit | View |
|---|
| Edit a project | Yes | Yes | No |
| Share a project | Yes | Yes | No |
| User management (invite/delete project users) | Yes | No | No |
| Delete a project | Yes | No | No |
| Create/delete custom evaluators | Yes | Yes | No |
| Create/rename evaluations | Yes | Yes | No |
| Delete evaluations | Yes | No | No |
| Run an evaluation | Yes | Yes | No |
| Add, edit, delete evaluator columns and run evaluation | Yes | Yes | No |
| Create a custom evaluator | Yes | Yes | No |
| Save as a global evaluator | Yes | Yes | No |
| Export evaluation | Yes | Yes | No |
| Automate evaluation | Yes | Yes | No |
| Import rows | Yes | Yes | No |
| Add production data (model traces) | Yes | Yes | No |
| Run a prompt | Yes | Yes | No |
| Table options (user-specific) | Yes | Yes | Yes |
Role Management Dashboard
The Role Management dashboard lists all system and custom roles with their type, description, creator, and last-updated date.
To access:
- Go to Settings > Users Management > Role Management.
The dashboard shows:
- Summary counts: Total Roles, System Roles, Custom Roles.
- Role table: Role name, Role Type, Description, Created by, Last Updated On.
The Last Updated On column is blank for system roles because they cannot be modified.
Search for a Role
- Go to the Role Management dashboard.
- Click the Search field.
- Type the role name. Matching results appear instantly.
Manage System Roles
System roles cannot be created, modified, or deleted. Duplicate a system role to create a modifiable custom version.
View a System Role
- On the Role Management dashboard, click the … (ellipsis) menu for a system role.
- Select View.
The details panel shows the role’s name, type, description, and module-wise permission settings (read-only).
Duplicate a System Role
Duplicating copies the role’s name, type, and all permission settings into a new custom role that you can modify.
Changes to the duplicate do not affect the original system role.
- On the Role Management dashboard, click the … menu for a system role.
- Select Duplicate.
The duplicate appears with the original name followed by _copy. Rename it as needed.
Manage Custom Roles
Add a Custom Role
- Go to Settings > Users Management > Role Management.
- Click Add New Role.
- Enter a unique Role Name and Role Description.
- Select a Role Type: Account or Tool.
For Account roles, set the access level for each module and configure sub-permissions:
| Access Selection | Effect |
|---|
| Full | Automatically enables all module permissions |
| Custom | Lets you select individual permissions |
| View | Enables view-only; disables permission editing |
| No Access | Disables all permissions |
- Set the Models access level before enabling its sub-permissions. Skipping this disables them automatically.
- Setting Settings to Full → sets Integrations and User Management to Full and enables all sub-permissions.
- Setting Settings to No Access → sets Integrations to View, User Management to No Access.
- Setting Settings to Custom → sets Integrations and User Management to Custom, where you select individual permissions.
- Click Create.
The new custom role appears on the Role Management dashboard.
Edit a Custom Role
- The Role Type cannot be changed after creation. Create a new custom role if you need a different type.
- Updating a custom role immediately changes permissions for all users currently assigned to it.
- On the Role Management dashboard, click the … menu for the custom role.
- Select Edit.
- Update Role Name, Role Description, or Access level.
- Click Update.
Delete a Custom Role
You can only delete custom roles not assigned to any active users. Bulk deletion is not supported.
Prerequisite: Ensure no users are assigned to the role. If they are, do one of the following first:
- Reassign a different role: Go to Settings > Users Management > Users, click the user’s Account Role field, and select a new role.
- Delete the assigned users: Go to Users Management and delete the users individually or in bulk.
To delete:
- On the Role Management dashboard, click the … menu for the custom role.
- Select Delete.
- Click Confirm.
Duplicate a Custom Role
Duplicating a custom role works the same as duplicating a system role—it copies the name, type, and all permission settings. See Duplicate a System Role. 