Manage Roles, Permissions and Access Levels¶

Agent Platform’s Role Management feature in the Settings console helps implement Role-based Access Control (RBAC) for account, tool, and agentic app features on the platform.

Thus, the roles can be classified based on the role types. Learn more.

When you invite/add a user to your account, you must assign a default role to them to define their module-wise permissions and access levels. You can later reassign a different role to the user, including a default/system-defined or custom role. Learn more about Users Management.

Key Points

App Owner: When you create an Agentic App, you automatically become the app owner and are assigned this role which provides administrative access on all features and configurations across the Platform.
Master Admin Role
- When you create an account, you automatically become the account owner and are assigned the Master Admin role. Learn more.
- As the Master Admin, you have the highest level of access, allowing you to create, modify, and delete permissions for custom roles and manage users in your account.
Assigning Roles
- Once a user joins your account, assign them a role based on their responsibilities and job functions. By default, the Viewer role is assigned to new users joining your account, providing the minimum level of account access required. Learn more. This role can be changed later in the Settings console. Learn more.
Default and Custom Roles
- Each role comes with specific permissions and access levels to determine what features the user can access, modify, or manage. Learn more.
Agent Platform supports the following roles in the Settings console:
- Default Role: A system-generated role with internally defined set of permissions and access levels. Learn more.
- Custom Role: Allows you to customize permissions and access levels for your users. Learn more.
Role Management Benefits
- Enables better control over user actions in your account.
- Facilitates updating roles when job functions or responsibilities change.
- Ensures prompt revocation of access when a user leaves the organization or no longer requires access.

Roles and Modules¶

The modules for which permissions and access levels can be defined for a role include the following:

Agentic Apps
Tools
Models
Prompts
Data
Evaluations/Evaluators
Settings including Integrations, User Management, Security and Control, Monitoring, Guardrails, and Billing.

Tool Level

To learn more about permissions and access levels around features, click here.

Access to module-level permissions can either be disabled (no access) or enabled with Full, Custom, or View privileges. Learn more.

Roles¶

A Role groups users according to their job functions, streamlining permission management.

Example

A Master Admin has complete control over the account's core functionalities such as models, tools, integrations, users, etc.

A Tool Admin has complete control over the core functionalities of tools, such as deployment, configuration, sharing, deletion, monitoring, etc.

An App Admin has full access to almost all the core Platform features relating to Agentic Apps.

Agent Platform supports the following roles:

System-defined Roles¶

Also called Default roles, these are inbuilt in the system at the agentic app, account and tool levels defined in the system. The scopes, permissions, and access levels for these roles are preset based on what users commonly require and cannot be modified in the application. Also, system roles cannot be deleted.

To modify a user's scope and permissions, you must add a custom agentic app/account/tool-type role. Learn more.

System-defined, system-generated, or default roles provide baseline control over the core features and functionalities and streamline the user management process for administrators.

For example, The Admin role typically has full access to all tool/account features and functionalities within the system. Administrators have the highest privileges and can manage other users, configure settings, and perform administrative tasks.

The following table summarizes the scope for different system roles supported for Account, Tool, and Agentic App types:

Account
Role	Description
Master Admin	Users have complete control over tool and model management, and access to all the core features and functionalities of the Settings console.
Admin	Users have access to all the permissions except model deletion, billing, and connectors.
Member	Users can create tools, add external models, and modify only specific integrations.
Viewer	Users can only view the modules across the platform.

Tool
Role	Description
Tool Admin	Users have complete control over tool management, versioning, sharing, deployment, deletion, configuration, monitoring, and API key creation.
Tool Manager	Users have access to all the permissions except for tool deletion.
Tool Editor	Users can create new versions and deploy, monitor, and export tools.
Tool Viewer	Users can only view the node details and generate output in the tool.
App
Role	Description
App Owner	Users have complete administrative access across all Platform features and configurations. This user cannot be removed from the system, and can manage all other roles.
App Admin	Users have full administrative access across most system features of Agentic Apps. This user has privileges similar to the owner. The app admins can modify all the other roles except the permissions of the app owner.
App Developer	Users have full access to core development features of Agentic Apps including configurations, tools, guardrails, and data. There is limited access to the admin features.
App Viewer	Users have basic view-only access to specific and essential features of Agentic Apps including configurations, tools, guardrails, and simulation capabilities.
App Tester	Users have view-only access to most system features of Agentic Apps allowing them to observe and test agents and analytics. The user cannot write or modify the production features.

Custom Roles¶

The admin can assign only Account and Tool role types to custom roles. The scopes, permissions, and access levels can be custom-configured. Custom user roles allow for more fine-grained control over what actions different users can perform for at the account and tool levels.

Organizations can tailor access levels to their specific needs and organizational structure. This customization helps assign only the required permissions to specific users and improve security through role-based access.

For example, a custom role, “Banking Tool Conversation Moderator,” can be customized for full access to a tool guardrail configuration permission and no access to create and deploy a tool.

Key Considerations¶

After creating a custom role, it will appear in the dropdown menu of the email invitation template. You can then select and assign this role to the user you invite to your account.
You cannot delete a custom role if it is currently assigned to active users or included in an email invitation. The system displays an error message, as shown in the screenshot below.

To proceed, you must first unassign the role or assign an alternative role to these users, and then you can delete the custom role.

Permissions¶

A Permission is a specific action or a set of actions the user can perform for a module i.e., Admin, Tool, or Evaluation based on the defined access level (Full, Edit, or View), assigned role type (Account, Tools, or Agentic Apps) and role category (Admin, or Tools). An example includes the system providing full access to create a tool version to the Tool Admin role of the tool role type.

Access Levels¶

The Settings console supports two types of access: “Yes” indicates the user role has access to a module’s permission, and “No” means the user has no access. When the system/custom user role has access, the extent/level of access at the account or tool level is defined by the following presets:

View: The user can only view the module feature but does not have the permission to edit or delete it.
Custom: The user can view, add, and edit the module data, but not delete it.
Full: The user can view, add, edit, and delete the module data.
No Access: The user cannot access the module's features.

Learn more about Module-wise permissions and access levels.

Role Types¶

A Role Type defines the module-wise scope and access level for the defined permissions and associated actions.

Roles are auto-assigned by the system based on the following Role Types. Please refer to this table for more information on the roles.

Account: Users invited to the account must be assigned an Account role (default or custom). The role type manages access to users, integrations, and security permissions.
Tool: When a user is invited to a tool, they receive a Tool role. The role type manages access to tool configurations and deployments.
App: When a user is invited to the Agent Platform at the agentic app level, they are assigned this role. This role type manages access to the core features, configurations, and deployments of autonomous AI applications (agentic apps) that handle specialized business tasks and processes. The admin must assign this role type to any user with whom they intend to share an agentic app.

Account Role

The user who creates an Agent Platform account is assigned the Master Admin role by default.
The Master Admin can assign other account roles to users added to their account.

Tool Role

The user who creates a tool is assigned the Tool Admin role by default.
The Tool Admin can assign other tool roles to users they invite to their tool.

App Role

The user who creates an agentic app is assigned the App Owner role by default.
The App Owner can assign other Agentic App roles to users who have access to their agentic apps.

Module-wise Permissions and Access Levels¶

The following table summarizes the module-wise permissions and access levels for default admin, tool, and evaluation roles.

Admin Role

Module	Permission	Default Admin Role
		Master Admin	Admin	Member	Viewer
		Access Level
Tools	Create a Tool	Yes	Yes	Yes	No
Tools	Tool Import	Yes	Yes	Yes	No
Models	Access to Model (“View” is the default access for a custom role)	Full	Custom	Custom	View
	Add an external model	Yes	Yes	Yes	No
	Create a custom model and perform fine tuning	Yes	Yes	No	No
	Add opensource model	Yes	Yes	No	No
	Manage Deployment - deploy/undeploy/redeploy	Yes	Yes	No	No
	Create or Delete an API Key for a model	Yes	Yes	No	No
	Export Model	Yes	Yes	No	No
	Delete Model	Yes	No	No	No
	Model Configuration	Yes	Yes	No	No
Prompts	Access to a Prompt	Yes	Yes	Yes	Yes
	Create an Experiment	Yes	Yes	Yes	No
	Access to Settings (Only if the settings permission is 'Yes' the user will see all the permissions)	Full	Custom	Custom	No Access
	Access to guardrails at the account level	Yes	Yes	Yes	Yes
	Access to Integrations (“Full” is the default access)	Full	Full	Custom	View
Integrations	Access	Full	Full	Custom	View
	Delete an Integration	Yes	Yes	Yes	No
	Test an Integration	Yes	Yes	Yes	No
	Update an Integration	Yes	Yes	Yes	No
	Create an Integration	Yes	Yes	Yes	No
	Disable an Integration	Yes	Yes	Yes	No
Users Management	Access	Full	Full	No access	No access
	Invite User (via email or import)	Yes	Yes	No	No
	Bulk Import Users via files	Yes	Yes	No	No
	Assign/revoke system roles to users & manage profile and status	Yes	Yes	No	No
	Groups	Yes	Yes	No	No
	Enrolment	Yes	Yes	No	No
	Directory Sync to enroll users	Yes	Yes	No	No
	Manage Tool Roles (Create and edit Custom roles), assign/revoke users	Yes	Yes	No	No
	Manage Admin Roles (Create and edit Custom roles), assign/revoke users	Yes	Yes	No	No
	Remove Users	Yes	Yes	No	No
	Manage User Settings (profile fields): Users with the permissions to manage user settings can bulk change permissions.	Yes	Yes	No	No
	Security and Control Settings	Create Management API Key.	Yes	Yes	No	No
Monitoring	All actions	Yes	Yes	No	No
Billing: Plans, invoice, subscribe & unsubscribe, token usage	All actions	Yes	No	No	No
Tool Management	All actions	Yes	Yes	No	No
Evaluations	Access	Full	Custom	Custom	View
	Create projects	Yes	Yes	Yes	No
	Create Global Evaluators.	Yes	Yes	Yes	No
	Delete Global Evaluators	Yes	No	No	No
	Edit Global Evaluators	Yes	Yes	No	No

Tool Role

Module	Permission	Default Tool Role
		Tool Admin	Tool Manager	Tool Editor	Tool Viewer
		Access Level
Tools	Access to Tool (“Custom” is the default access for a custom role)	Full	Custom	Custom	View
	Create a Tool Version	Yes	Yes	Yes	No
	Import as a Version	Yes	Yes	No	No
	Share Tools/ Unshare Tools/ Assign Tool Roles/ Remove users	Yes	Yes	No	No
	Delete Tool	Yes	No	No	No
	Export Tool	Yes	Yes	Yes	No
	Monitoring Trace of an Tool	Yes	Yes	Yes	Yes
	Editing Tool Workflow	Yes	Yes	Yes	No
	Tool configurations	Yes	Yes	Yes	No
	Create/Delete an API Key	Yes	Yes	No	No
Deployment	Manage Deployment - deploy/undeploy/redeploy	Yes	Yes	Yes	No
Guardrails	Manage Guardrails Configuration	Yes	Yes	Yes	No
Monitoring	Audit Log	Yes	Yes	No	No

App Role - Agentic Apps

Permission	Default App Role
	App Owner	App Admin	App Developer	App Tester	App Viewer
	Access Level
App Configuration	Full	Full	Full	View	View
Agents	Full	Full	Full	View	View
Code Tools	Full	Full	Full	View	View
Simulate	Full	View	View	View	View
Analytics	Full	Full	Full	View	No
Environments	Full	Full	View	View	No
API Keys	Full	Full	View	View	No
Audit Logs	Full	View	View	View	No
Guardrails	Full	Full	Full	View	View
Sharing & Permissions	Full	Full	Full	View	No
Versions	Full	Full	Full	View	No
Tools Library	Full	Full	Full	View	View
Export Tool	Full	Full	Full	View	No

Module	Permission	Default Role
		App Owner	App Admin	App Developer	App Tester	App Viewer
		Access
App Configurations	View Profile, View Config, view app versions	Yes	Yes	Yes	Yes	Yes
App Configurations	Edit Profile, Edit Config, Import App version, Delete App version	Yes	Yes	Yes	No	No
Agents	View Agent	Yes	Yes	Yes	Yes	Yes
Agents	Add Agent, Edit Agent, Link Tools, Unlink Tools, Restore Agent Version, Restore App Version, Create Agent Version	Yes	Yes	Yes	No	No
Tools	View Tool	Yes	Yes	Yes	Yes	Yes
Tools	Add Tool, Edit Tool, Create In-line tool, Edit Inline Tool, Delete Inline Tool	Yes	Yes	Yes	No	No
Simulate	Test	Yes	Yes	Yes	Yes	Yes
Analytics	View Sessions, Traces, Generations	Yes	Yes	Yes	Yes	No
Environments	View Environment	Yes	Yes	Yes	Yes	No
Environments	Create Environment, Delete Environment, Deploy Version	Yes	Yes	No	No	No
API Keys	View List	Yes	Yes	Yes	Yes	No
API Keys	Add Key	Yes	Yes	No	No	No
Audit Logs	View Logs	Yes	Yes	Yes	Yes	No
Guardrails	View Guardrails	Yes	Yes	Yes	Yes	Yes
Guardrails	Add Guardrails, Edit Guardrails	Yes	Yes	Yes	No	No
Sharing & Permissions	View Users	Yes	Yes	Yes	Yes	No
Sharing & Permissions	Add Users, Update Role	Yes	Yes	Yes	No	No

Evaluation Role

Permission	Full	Edit	View
Edit a project.	Yes	Yes	No
Share a project.	Yes	Yes	No
User management - invite/delete users from project	Yes	No	No
Delete a project.	Yes	No	No
Create/delete custom evaluators	Yes	Yes	No
Create/rename evaluations	Yes	Yes	No
Delete Evaluations	Yes	No	No
Run an Evaluation	Yes	Yes	No
Add, edit and delete evaluator columns and run evaluation	Yes	Yes	No
Create a custom evaluator	Yes	Yes	No
Save as a global evaluator	Yes	Yes	No
Export evaluation	Yes	Yes	No
Automate evaluation	Yes	Yes	No
Import rows	Yes	Yes	No
Add, edit and delete evaluator columns and run evaluation	Yes	Yes	No
Add production data(model traces)	Yes	Yes	No
Run a prompt	Yes	Yes	No
Table options(user specific)	Yes	Yes	Yes

Role Management Dashboard¶

The Role Management Dashboard displays key information related to system and custom roles and their permissions available on the Agent Platform.

To access the dashboard, follow the steps below:

Log in to Agent Platform and click Settings on the top menu.
Click Users Management > Role Management on the left menu.

The Role Management dashboard displays the following:

The summary of counts for the following:
- Total Roles: The total count of system and custom roles in the system.
- System Roles: The count of the predefined, system-generated user roles.
- Custom Roles: The count of the user roles created and configured by the system admin.
A Table view of the following system and custom role details:
- Role: The name of the system-generated role or the custom role you have created.
- Role Type: The role type defines its scope, including Account, Tool, and Agentic App.
- Description: This is the description of the role. System roles are predefined, while you must provide custom role descriptions. Hover over the description text to view the entire description.
- Created by: For system-generated roles, System is displayed. For custom roles, the name of the user who created the role is displayed, as shown in the image below. This user can be the account owner or another user in the admin’s account.
- Last Updated On: The local time and date when the custom role was last updated are displayed. This information does not appear for system roles, as they cannot be modified.

Search a Role¶

To look up a system or custom role, follow the steps below:

Navigate to the Role Management dashboard.
Click the Search text field.
Enter the role you want to search for. All the matching results are displayed.

If no results are found, the following message is displayed.

Manage System Roles¶

You can perform the following actions on the system-generated roles.

Important

System roles cannot be created, modified, or deleted since the role and its permissions are predefined in the system. However, they can be duplicated as Custom Roles and modified.

View Role Information¶

To view the details of a system-defined role, follow the steps below.

Navigate to the Role Management dashboard,
Click the Ellipses icon for a system role.
Select View.

The following information is displayed:

Role Title along with Role Type.
Role Name
Role Description
Configuration panel to enable/disable access and set access levels for the listed permissions at the account/tool level. Click here to see the module-wise permissions and access levels for different roles.

Duplicate System Role¶

If you want to add a custom role by copying the scope and permissions of a system role, you can use the Duplicate functionality. This feature automatically duplicates the system role, copying its name, role type, and permission/access configurations, and creates it as a custom role. You can then modify, delete, or duplicate this custom role to create multiple copies and add module-wise permissions/access for each.

Note

The changes you make to the duplicate role do not apply to the original system role.
The Last Updated On value is displayed for duplicate roles and shows the date and time when the duplicate was created.

Steps to Create a Duplicate Role

To duplicate a system role, follow the steps below:

Navigate to the Role Management dashboard.
Click the Ellipses icon for a system role.
Select Duplicate.

The duplicate custom role displays the system role name followed by a suffix “copy,” as shown below. You can edit the name if required.

Manage Custom Roles¶

Custom roles can be edited, deleted, or duplicated on the Settings console. They help customize a set of permissions and set access levels according to enterprise's requirements.

Add a Role¶

To add a custom role, follow the steps below:

Navigate to Role Management on the Settings console.
Click Add New Role.
Follow the steps below in the New Role window:
- Enter Role Name (should be unique) & Role Description.
- Select the Role Type from the dropdown.
- Follow the steps below if you select Role Type as Account.
  - Enable/select the access level for module-wise permissions in the Enable/Disable tool access section. Learn more about module-wise permissions and access levels you can configure for a custom role.
  - If you select Custom, Select the checkbox to enable the permissions (set to Yes) or unselect to disable (set to No) for the following:
    - Create and Import Tool
    - Create agentic apps
    - Models
      - Add External models
      - Fine-tune a model
      - Delete a model
      - Manage Deployment - deploy/undeploy
      - Create an API key for a model
      - Export model
    - Prompts
    - Settings
      - Integrations
      - Weights and Biases
      - Hugging Face
      - S3 Bucket
    - User Management
      - Invite user
      - Bulk import users
      - Assign roles to users
      - Directory Sync
      - Manage admin roles
      - Manage tool roles
      - Remove users
      - Manage user settings
    - Security and Control Settings
    - Manage Guardrail Models
    - Monitoring
    - Billing
- Select the access level for Models, Settings, Integrations, and User Management from the following options:
  - Full: The users can access all the module permissions (view & edit).
  - Custom: The users can select only the required permissions for the module to customize the role.
  - View: The users can only view the configured module permissions.
  - No Access: The user cannot view/customize the module permissions.

Important Considerations

First, select the access level for Models to enable its permissions.

Missing this step automatically disables the permissions.
Selecting Full automatically selects all the module permissions.
Selecting Custom allows you to enable only the required module permissions.
Selecting View and No Access disables permissions selection.
Selecting Full for Settings automatically sets the access levels of Integrations and User Management to Full.

Additionally, it automatically enables all the permissions for the following modules:

Integrations (View is always enabled by default as it is the minimum required permission).
User Management
Security and Control Settings
Manage Guardrail Models
Monitoring
Billing
Selecting No Access for Settings automatically sets the access levels of Integrations to View and User Management to No Access.

Additionally, it disables all the permissions for the following modules:

Integrations (The View permission is always enabled by default).
User Management
Security and Control Settings
Manage Guardrail Models
Monitoring
Billing

Selecting Custom for Settings automatically sets the Integrations and User Management access levels to Custom where you can select or unselect the listed permissions based on your requirement for the following modules:

Integrations
User Management
Security and Control Settings
Manage Guardrail Models
Monitoring
Billing

You can change Custom to Full or View for Integrations and Full or No Access for User Management.

If you select Role Type as Tool, follow the steps below:

Select Custom, View, or Full for Access. Learn more.

Custom is the default selection.

Set up the tool permissions as follows in the Enable/Disable tool access section:
If you select View for Access, all the permissions are automatically disabled.
If you select Full for Access, all the permissions are automatically enabled.
If you select Custom for Access, you can select the required tool permissions to enable them and customize the role.
Click Create.

The new custom role is created and listed on the Role Management dashboard.

Edit a Custom Role¶

You can modify the role name, description, and access levels for account type or tool type roles’ permissions on the Settings console.

Note

The system does not allow changing the Role Type once it is set. You must create a new custom role to assign a different role type.
When a custom role is updated, it changes the permissions for the assigned users.

To update a role, follow the steps below:

Navigate to the Role Management dashboard on the Settings console.
Click the Ellipses icon for the custom role you want to modify.
Select Edit.
Edit the required values for the following In the Update Role window:
- Role Name
- Role Description
- Access: Select either Custom, Full, or View.

Note

You cannot reset the access levels for module-wise Permissions in the Enable/disable tool access section.

Click Update.

A success message is displayed upon completing the role edit, and the updated role details appear on the dashboard.

Delete a Custom Role¶

You can delete a custom role if you want to permanently remove it from the system and unassign it from users.

Note

You can only delete one role at a time. Bulk delete is not supported.

Prerequisite

Before you delete a role, ensure that the custom role is not assigned to any active users. If the role is assigned, do one of the following:

Reassign an alternative role to the active users. Learn more.
Remove Inactive users to whom this role is assigned.

To delete a role, follow the steps below:

Navigate to the Role Management dashboard on the Settings console.
Click the Ellipses icon for the custom role you want to delete.
Select Delete.
Click Confirm in the Delete Role confirmation window.

A success message is displayed, and the role is deleted from the Role Management dashboard.

Role Deletion Error and Workaround¶

The Settings console allows you to delete only unassigned roles. If a role is assigned to active/inactive users during deletion, the following error message is displayed.

You must perform one of the following workarounds.

Reassign an Alternative Role to Active Users¶

Navigate to Users Management > Users on the Settings Console.
Click the Account Role entry for the user.
Select the role you want to reassign.

Once you reassign the role for the user, go to the Role Management dashboard and delete the role using the steps mentioned here.

The role is deleted successfully from the Role Management dashboard and the count for custom roles is updated (decreased).

Delete Assigned Users¶

Navigate to the Users Management dashboard and follow the steps mentioned in the Delete Users section to delete all the assigned users individually or in bulk. Once the user is deleted, go to the Role Management dashboard and delete the required custom role.

Deleting the assigned users removes their association with the role you want to delete.

Duplicate a Custom Role¶

Like a system role, you can duplicate a custom role, which copies the name, role type, and configurations for permissions and access. Follow the steps mentioned here to complete the process for a custom role.

Settings Console - Learn more about other Agent Platform admin features.
Users Management - Learn more about managing users in your account.
Monitoring: Audit Logs - Learn more about tracking events and user activity in your account.

Manage Roles, Permissions and Access Levels¶

Roles and Modules¶

Roles¶

System-defined Roles¶

Custom Roles¶

Key Considerations¶

Permissions¶

Access Levels¶

Role Types¶

Module-wise Permissions and Access Levels¶

Role Management Dashboard¶

Search a Role¶

Manage System Roles¶

View Role Information¶

Duplicate System Role¶

Manage Custom Roles¶

Add a Role¶

Edit a Custom Role¶

Delete a Custom Role¶

Role Deletion Error and Workaround¶

Reassign an Alternative Role to Active Users¶

Delete Assigned Users¶

Duplicate a Custom Role¶

Related Information¶