Custom User Permissions
Custom User Permissions lets organization administrators control exactly what each member can see and do within the platform. Instead of a one-size-fits-all approach, you can create tailored roles with specific permissions and assign them to individual users. This gives your organization fine-grained control over access to AI agents, data sources, tools, settings, and more.
Accessing User Permissions
To manage user permissions, navigate to Organization Settings and click User Permissions. This page is available to organization administrators and any user with the Roles permission enabled.
The User Permissions page is divided into two panels:
- Left panel — Lists all available roles (both custom and system roles)
- Right panel — Shows the users in your organization and their role assignments
Understanding Roles
Roles are collections of permissions that define what a user can access. There are two categories.
System Roles
System roles are built-in and cannot be deleted:
- User — The default role automatically assigned to every organization member. It grants standard permissions such as viewing and editing your own AI agents, chats, data sources, and files. You can customize the permissions included in this role, but it cannot be removed from the system.
- Admin — A system role with elevated permissions that grants full access to organization-wide resources. This role cannot be edited or deleted.
Custom Roles
Custom roles are created by administrators to meet specific organizational needs. For example, you might create a "Data Analyst" role that grants read access to organization data sources but restricts access to organization settings, or a "Content Manager" role that can edit AI agents across the organization.
Creating a Custom Role
- On the User Permissions page, click Create Role in the Custom Roles section.
- Enter a Name for the role (up to 50 characters).
- Optionally, add a Description (up to 250 characters) to help others understand the role's purpose.
- Configure the role's permissions using the permission selector (see Permission Categories below).
- Click Create to save the role.
New roles start with the default user permissions pre-selected. You can then add or remove specific permissions to tailor the role.
Editing a Role
- Select the role from the left panel by clicking on it.
- Click the edit icon next to the role name in the role details card.
- Modify the name, description, or permissions as needed.
- Click Save to apply changes.
You can edit the User system role's permissions to change what all default users can access. The Admin role cannot be edited.
Deleting a Custom Role
- Select the role and click the edit icon to open the edit modal.
- Click the Delete button.
- Confirm the deletion.
System roles (User and Admin) cannot be deleted. Deleting a custom role removes it from all users who had it assigned.
Permission Categories
When creating or editing a role, you choose which permissions to include. Permissions are organized by resource type and control two actions:
- View — Allows the user to see and read the resource
- Edit — Allows the user to create, modify, or delete the resource (automatically includes View)
Some resources support two access levels:
- User (Self) — The user can only access their own resources (e.g., their own AI agents)
- Organization — The user can access resources across the entire organization (e.g., all AI agents)
Default User Permissions
At the top of the permission selector, there is a Grant Default User Permissions toggle. When enabled, the role automatically includes all standard user-level permissions (viewing and editing your own AI agents, chats, data sources, files, and tools). This is a convenient shortcut so you don't have to check each individual user-level permission manually.
Available Permission Areas
| Permission Area | Description | Access Levels |
|---|---|---|
| AI | Access to create, view, edit, and manage AI agents | User, Organization |
| Data Sources | Access to manage data sources and knowledge bases | User, Organization |
| Files | Access to view files | User, Organization |
| API Keys | Access to view and create API keys | User |
| Tool Templates | Access to use and manage tool connectors | User, Organization |
| Flows | Access to workflow automation flows | User |
| Users | Access to view and manage organization members | Organization |
| Groups | Access to view and manage user groups | Organization |
| Organization Settings | Access to organization-wide settings | Organization |
| Organization Chat Logs | Access to view organization chat logs | Organization (View only) |
| Roles | Access to view and manage roles and permissions | Organization |
| Feature Flags | Access to view and manage feature flags | Organization |
| Usage | Access to view organization usage statistics | Organization (View only) |
| Subscriptions | Access to manage organization billing | Organization (View only) |
| AI Agent Tools | Access to configure tools for AI agents | Organization |
AI Agent Tools (Granular Control)
The AI Agent Tools permission area lets you control access to specific tool types individually:
- API Function
- Python / Code
- User Inputs
- Enhanced Knowledge
- Web Search
- Image Generation
- MCP Server
- Spreadsheet
- Browser
You can grant access to all tools at once or select only the specific tool types your team needs.
Required Permissions
Every role must include at minimum:
- View User AI — So the user can see AI agents
- View User Chats — So the user can participate in conversations
These permissions are always checked and cannot be removed from any role.
Assigning Roles to Users
Assigning a Single User
- Select a role from the left panel.
- In the right panel, find the user under Unassigned Users.
- Click on the user's card to select them.
- Click Grant to assign the role.
Removing a Role from a User
- Select the role from the left panel.
- Find the user under Assigned Users.
- Click on the user's card to select them.
- Click Revoke to remove the role assignment.
Bulk Role Assignment
You can assign or remove roles for multiple users at once:
- Select a role from the left panel.
- Use the checkboxes to select multiple users, or click Select All Visible or Select All Users to quickly select many users.
- The toolbar shows how many users are selected, along with Grant and Revoke buttons.
- Click Grant to assign the role to all selected unassigned users, or Revoke to remove the role from all selected assigned users.
- Click View to see a list of all selected users in a modal, where you can individually remove users from the selection.
Searching for Users
Use the search bar above the user list to filter users by name or email address. The search works across both assigned and unassigned user lists.
Viewing a User's Roles
When browsing the user list, each user card shows badges indicating their other role assignments. Click on a role badge to quickly jump to that role's view.
How Permissions Are Applied
When a user has custom roles assigned, their effective permissions are the combination of all permissions from all their assigned roles. For example, if a user has a "Data Analyst" role with View access to organization data sources, and a "Content Manager" role with Edit access to organization AI agents, they will have both sets of permissions active simultaneously.
- Users with custom role assignments get the permissions defined by their assigned roles.
- Users without any custom role assignments receive the default User role permissions.
- Organization administrators always retain full admin access regardless of custom role assignments.
Limitations
- The User role cannot be removed from users — Every user in the organization automatically has the User role. You can customize what permissions the User role includes, but you cannot unassign it from individual users.
- The Admin role cannot be edited — Admin permissions are fixed and grant full organizational access.
- Role names must be unique — You cannot create two roles with the same name within an organization.
- Minimum permissions required — Every role must include at least View access to User AI and User Chats.
- Permission changes take effect on next action — After modifying a user's roles, the updated permissions apply the next time the user performs an action or refreshes the page.