- Which system roles can perform each operation.
- The specific permission string required.
- Notes about partial access or special cases.
For an overview of LangSmith’s RBAC system, role definitions, and permission concepts, refer to Role-based access control.
Contents
| Organization-level operations | Workspace-level operations |
|---|---|
| Core management: • Organization settings: Org info and configuration • Workspaces: Workspace management • Organization members: Member management • Roles and permissions: Custom roles | Core resources: • Projects: Organize traces and runs • Runs: Individual execution traces • Datasets: Test datasets for evaluation • Examples: Individual dataset examples • Experiments: Comparative experiments |
| Security and authentication: • SSO and authentication: Single sign-on setup • SCIM: Identity provisioning • Access policies: Attribute-based access control | Monitoring and analysis: • Rules: Automated run rules • Alerts: Alert rules for monitoring • Feedback: Scores and labels on outputs • Annotation Queues: Human review queues • Charts: Custom visualizations |
| Billing and accounts: • Billing and payments: Subscription management • API keys: Org-level keys | Development and configuration: • Prompts: Prompt templates (LangChain Hub) • Deployments: Deployment configurations • MCP Servers: Model Context Protocol servers |
| Analytics: • Charts and dashboards: Org-level visualizations • Usage and analytics: Usage tracking and TTL settings | Workspace management: • Workspace settings: Members, settings • Tags: Metadata tagging system • Bulk Exports: Data export operations |
- User-level operations: Operations for all authenticated users
- Permission inheritance: How roles inherit across org/workspaces
Legend
- ✓ Allowed: User with this role can perform this action
- ✗ Not Allowed: User with this role cannot perform this action
- âš Partial: User has limited access (see notes)
Organization-level operations
Organization-level operations are controlled by organization roles, which are separate from the RBAC feature. Learn more in the Role-based access control guide.
Organization settings
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| View organization info | ✓ | ✓ | ✓ | organization:read |
| View organization dashboard | ✓ | ✓ | ✓ | organization:read |
| Update organization info | ✓ | ✗ | ✗ | organization:manage |
| View billing info | ✓ | ✓ | ✓ | organization:read |
| View company info | ✓ | ✓ | ✓ | organization:read |
| Set company info | ✓ | ✗ | ✗ | organization:manage |
Workspaces
Organization-level workspace management operations.| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| List all workspaces | ✓ | ✓ | ✓ | organization:read |
| Create workspace | ✓ | ✗ | ✗ | organization:manage |
Organization members
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| View organization members | ✓ | ✓ | ✓ | organization:read |
| View active org members | ✓ | ✓ | ✓ | organization:read |
| View pending org members | ✓ | ✓ | ✓ | organization:read |
| Invite member to organization | ✓ | ✗ | ✗ | organization:manage |
| Invite members (batch) | ✓ | ✗ | ✗ | organization:manage |
| Add basic auth members | ✓ | ✗ | ✗ | organization:manage |
| Remove organization member | ✓ | ✗ | ✗ | organization:manage |
| Update organization member role | ✓ | ✗ | ✗ | organization:manage |
| Delete pending org member | ✓ | ✗ | ✗ | organization:manage |
Roles and permissions
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| List organization roles | ✓ | ✓ | ✓ | organization:read |
| List available permissions | ✓ | ✓ | ✓ | N/A (user-level) |
| Create custom role | ✓ | ✗ | ✗ | organization:manage |
| Update custom role | ✓ | ✗ | ✗ | organization:manage |
| Delete custom role | ✓ | ✗ | ✗ | organization:manage |
SSO and authentication
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| View SSO settings | ✓ | ✓ | ✓ | organization:read |
| Create SSO settings | ✓ | ✗ | ✗ | organization:manage |
| Update SSO settings | ✓ | ✗ | ✗ | organization:manage |
| Delete SSO settings | ✓ | ✗ | ✗ | organization:manage |
| View login methods | ✓ | ✓ | ✓ | organization:read |
| Update allowed login methods | ✓ | ✗ | ✗ | organization:manage |
| Set default SSO provision | ✓ | ✗ | ✗ | organization:manage |
SCIM
System for Cross-domain Identity Management for user provisioning.| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| List SCIM tokens | ✓ | ✓ | ✓ | organization:read |
| Get SCIM token | ✓ | ✓ | ✓ | organization:read |
| Create SCIM token | ✓ | ✗ | ✗ | organization:manage |
| Update SCIM token | ✓ | ✗ | ✗ | organization:manage |
| Delete SCIM token | ✓ | ✗ | ✗ | organization:manage |
Access policies
Attribute-based access control (ABAC) policies for fine-grained permissions.ABAC is in private preview.
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| List access policies | ✓ | ✓ | ✓ | organization:read |
| Get access policy | ✓ | ✓ | ✓ | organization:read |
| Create access policy | ✓ | ✗ | ✗ | organization:manage |
| Delete access policy | ✓ | ✗ | ✗ | organization:manage |
| Attach access policy to role | ✓ | ✗ | ✗ | organization:manage |
Billing and payments
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| Create Stripe setup intent | ✓ | ✗ | ✗ | organization:manage |
| Handle payment method creation | ✓ | ✗ | ✗ | organization:manage |
| Change payment plan | ✓ | ✗ | ✗ | organization:manage |
| Create Stripe checkout session | ✓ | ✗ | ✗ | organization:manage |
| Confirm checkout completion | ✓ | ✗ | ✗ | organization:manage |
| Create Stripe account links | ✓ | ✗ | ✗ | organization:manage |
API keys
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| List org-scoped API keys | ✓ | ✓ | ✓ | organization:read |
| Create org-scoped API key (workspace-scoped)* | ✓ | ⚠| ✗ | organization:pats:create |
| Create org-scoped API key (org-wide)* | ✓ | ✗ | ✗ | organization:pats:create + organization:manage |
| List personal access tokens | ✓ | ✓ | ✗ | organization:read |
| Create personal access token | ✓ | ✓ | ✗ | organization:pats:create |
| Delete personal access token | ✓ | ✓ | ✗ | organization:read |
* Organization Users can create workspace-scoped API keys only for workspaces where they are a Workspace Admin. Org-wide API keys require the Organization Admin role.
Organization charts and dashboards
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| List org charts | ✓ | ✓ | ✓ | organization:read |
| Get org chart by ID | ✓ | ✓ | ✓ | organization:read |
| Create org chart | ✓ | ✗ | ✗ | organization:manage |
| Update org chart | ✓ | ✗ | ✗ | organization:manage |
| Delete org chart | ✓ | ✗ | ✗ | organization:manage |
| Render org chart | ✓ | ✓ | ✓ | organization:read |
| Get org chart section | ✓ | ✓ | ✓ | organization:read |
| Create org chart section | ✓ | ✗ | ✗ | organization:manage |
| Update org chart section | ✓ | ✗ | ✗ | organization:manage |
| Delete org chart section | ✓ | ✗ | ✗ | organization:manage |
| Render org chart section | ✓ | ✓ | ✓ | organization:read |
Usage and analytics
| Operation | Org Admin | Org User | Org Viewer | Required Permission |
|---|---|---|---|---|
| View organization usage | ✓ | ✓ | ✓ | organization:read |
| View TTL settings | ✓ | ✓ | ✓ | organization:read |
| Upsert TTL settings | ✓ | ✗ | ✗ | organization:manage |
Workspace-level operations
These operations are controlled by workspace-level roles and permissions.Projects
Projects organize traces and runs from your LLM applications.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| Create a new project | ✓ | ✗ | ✗ | projects:create |
| View project list | ✓ | ✓ | ✓ | projects:read |
| View project details | ✓ | ✓ | ✓ | projects:read |
| View prebuilt dashboard | ✓ | ✓ | ✓ | projects:read |
| View project metadata (top K values) | ✓ | ✓ | ✓ | projects:read |
| Update project metadata (name, description, tags) | ✓ | ✓ | ✗ | projects:update |
| Create filter view | ✓ | ✗ | ✗ | projects:create |
| View filter views | ✓ | ✓ | ✓ | projects:read |
| View specific filter view | ✓ | ✓ | ✓ | projects:read |
| Update filter view | ✓ | ✓ | ✗ | projects:update |
| Delete filter view | ✓ | ✗ | ✗ | projects:delete |
| Delete a project | ✓ | ✗ | ✗ | projects:delete |
| Delete multiple projects | ✓ | ✗ | ✗ | projects:delete |
| Get insights jobs (Beta) | ✓ | ✓ | ✓ | projects:read |
| Get specific insights job (Beta) | ✓ | ✓ | ✓ | projects:read |
| Create insights job (Beta) | ✓ | ✓ | ✓ | projects:read + rules:create |
| Update insights job (Beta) | ✓ | ✓ | ✗ | projects:update |
| Delete insights job (Beta) | ✓ | ✗ | ✗ | projects:delete |
| Get insights job configs (Beta) | ✓ | ✓ | ✓ | rules:read |
| Create insights job config (Beta) | ✓ | ✓ | ✗ | rules:create |
| Auto-generate insights job config (Beta) | ✓ | ✓ | ✗ | rules:create |
| Update insights job config (Beta) | ✓ | ✓ | ✗ | rules:update |
| Delete insights job config (Beta) | ✓ | ✓ | ✗ | rules:delete |
| Get run cluster from insights job (Beta) | ✓ | ✓ | ✓ | projects:read |
| Get runs from insights job (Beta) | ✓ | ✓ | ✓ | projects:read |
Runs
Individual execution traces and spans from your LLM applications.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| Send traces from SDK (includes single run, batch, multipart, and OTEL) | ✓ | ✓ | ✗ | runs:create |
| View a specific run | ✓ | ✓ | ✓ | runs:read |
| View thread preview | ✓ | ✓ | ✓ | runs:read |
| Query/list runs | ✓ | ✓ | ✓ | runs:read |
| View run statistics | ✓ | ✓ | ✓ | runs:read |
| View grouped run statistics | ✓ | ✓ | ✓ | runs:read |
| Group runs by expression | ✓ | ✓ | ✓ | runs:read |
| Generate filter query from natural language | ✓ | ✓ | ✓ | runs:read |
| Prefetch runs | ✓ | ✓ | ✓ | runs:read |
| Update a run (PATCH) | ✓ | ✓ | ✗ | runs:create |
| View run sharing state | ✓ | ✓ | ✓ | runs:read |
| Share a run publicly | ✓ | ✓ | ✗ | runs:share |
| Unshare a run | ✓ | ✓ | ✗ | runs:share |
| Delete runs by trace ID or metadata | ✓ | ✗ | ✗ | runs:delete |
Rules
Automated run rules that trigger actions based on run conditions.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| List all run rules | ✓ | ✓ | ✓ | rules:read |
| Create a run rule | ✓ | ✓ | ✗ | rules:create |
| Update a run rule | ✓ | ✓ | ✗ | rules:update |
| Delete a run rule | ✓ | ✓ | ✗ | rules:delete |
| View rule logs | ✓ | ✓ | ✓ | rules:read |
| Get last applied rule | ✓ | ✓ | ✓ | rules:read |
| Manually trigger a rule | ✓ | ✓ | ✗ | rules:update |
| Trigger multiple rules | ✓ | ✓ | ✗ | rules:update |
Alerts
Alert rules for monitoring run conditions.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| Create alert rule | ✓ | ✓ | ✓ | runs:read |
| Update alert rule | ✓ | ✓ | ✓ | runs:read |
| Delete alert rule | ✓ | ✓ | ✓ | runs:read |
| Get alert rule | ✓ | ✓ | ✓ | runs:read |
| List alert rules | ✓ | ✓ | ✓ | runs:read |
| Test alert action | ✓ | ✓ | ✓ | runs:read |
Datasets
Test datasets with examples for evaluation.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| Create a dataset | ✓ | ✓ | ✗ | datasets:create |
| List datasets | ✓ | ✓ | ✓ | datasets:read |
| View dataset details | ✓ | ✓ | ✓ | datasets:read |
| Update dataset metadata | ✓ | ✓ | ✗ | datasets:update |
| Delete a dataset | ✓ | ✗ | ✗ | datasets:delete |
| Upload CSV dataset | ✓ | ✓ | ✗ | datasets:create |
| Clone dataset | ✓ | ✓ | ✗ | datasets:update |
| Get dataset version | ✓ | ✓ | ✓ | datasets:read |
| Get dataset versions | ✓ | ✓ | ✓ | datasets:read |
| Diff dataset versions | ✓ | ✓ | ✓ | datasets:read |
| Update dataset version (tags) | ✓ | ✓ | ✗ | datasets:update |
| Download dataset (OpenAI format) | ✓ | ✓ | ✓ | datasets:read |
| Download dataset (OpenAI fine-tuning format) | ✓ | ✓ | ✓ | datasets:read |
| Download dataset (CSV) | ✓ | ✓ | ✓ | datasets:read |
| Download dataset (JSONL) | ✓ | ✓ | ✓ | datasets:read |
| View dataset sharing state | ✓ | ✓ | ✓ | datasets:read |
| Share dataset publicly | ✓ | ✗ | ✗ | datasets:share |
| Unshare dataset | ✓ | ✗ | ✗ | datasets:share |
| Get index info | ✓ | ✓ | ✓ | datasets:read |
| Index dataset | ✓ | ✓ | ✗ | datasets:update |
| Sync dataset index | ✓ | ✓ | ✗ | datasets:update |
| Remove dataset index | ✓ | ✓ | ✗ | datasets:update |
| Search dataset | ✓ | ✓ | ✓ | datasets:read |
| Generate synthetic examples | ✓ | ✓ | ✗ | datasets:update |
| Get dataset splits | ✓ | ✓ | ✓ | datasets:read |
| Update dataset splits | ✓ | ✓ | ✓ | datasets:read |
| Run playground experiment (batch) | ✓ | ⚠| ✗ | prompts:read + datasets:read + projects:create |
| Run playground experiment (stream) | ✓ | ⚠| ✗ | prompts:read + datasets:read + projects:create |
| Run studio experiment | ✓ | ⚠| ✗ | datasets:read + projects:create |
Workspace Editors have partial access because they cannot create projects, which limits their ability to create new experiments.
Examples
Individual examples within datasets.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| Count examples | ✓ | ✓ | ✓ | datasets:read |
| View a specific example | ✓ | ✓ | ✓ | datasets:read |
| List examples | ✓ | ✓ | ✓ | datasets:read |
| Create a new example | ✓ | ✓ | ✗ | datasets:update |
| Create examples (bulk) | ✓ | ✓ | ✗ | datasets:update |
| Update a single example | ✓ | ✓ | ✗ | datasets:update |
| Update examples (bulk) | ✓ | ✓ | ✗ | datasets:update |
| Update examples (multipart) | ✓ | ✓ | ✗ | datasets:update |
| Upload examples from CSV | ✓ | ✓ | ✗ | datasets:update |
| Upload examples from JSONL | ✓ | ✓ | ✗ | datasets:update |
| Delete a single example | ✓ | ✓ | ✗ | datasets:update |
| Delete examples (bulk) | ✓ | ✓ | ✗ | datasets:update |
| View examples with runs | ✓ | ✓ | ✓ | datasets:read |
| View grouped examples with runs | ✓ | ✓ | ✓ | datasets:read |
| Validate a single example | ✓ | ✓ | ✓ | datasets:read |
| Validate examples (bulk) | ✓ | ✓ | ✓ | datasets:read |
Experiments
Comparative experiments for evaluating LLM outputs.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| View comparative experiments | ✓ | ✓ | ✓ | projects:read |
| Create comparative experiment | ✓ | ⚠| ✗ | projects:create |
| Delete comparative experiment | ✓ | ✗ | ✗ | projects:delete |
| View examples with runs | ✓ | ✓ | ✓ | datasets:read |
| View grouped examples with runs | ✓ | ✓ | ✓ | datasets:read |
| View grouped experiments | ✓ | ✓ | ✓ | datasets:read |
| View feedback delta | ✓ | ✓ | ✓ | datasets:read |
| Upload experiment results | ✓ | ⚠| ✗ | datasets:create + datasets:update + projects:create + runs:create |
| Get experiment view overrides | ✓ | ✓ | ✗ | datasets:update |
| Create experiment view override | ✓ | ✓ | ✗ | datasets:update |
| Update experiment view override | ✓ | ✓ | ✗ | datasets:update |
| Delete experiment view override | ✓ | ✓ | ✗ | datasets:update |
Workspace Editors have partial access because they cannot create projects, which limits their ability to create new experiments.
Feedback
Scores, labels, and corrections on LLM outputs.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| List feedback formulas | ✓ | ✓ | ✓ | feedback:read |
| Get feedback formula | ✓ | ✓ | ✓ | feedback:read |
| Create feedback formula | ✓ | ✓ | ✗ | feedback:create |
| Update feedback formula | ✓ | ✓ | ✗ | feedback:update |
| Delete feedback formula | ✓ | ✓ | ✗ | feedback:delete |
| View specific feedback | ✓ | ✓ | ✓ | feedback:read |
| List feedbacks | ✓ | ✓ | ✓ | feedback:read |
| Create feedback | ✓ | ✓ | ✗ | feedback:create |
| Eagerly create feedback | ✓ | ✓ | ✗ | feedback:create |
| Update feedback | ✓ | ✓ | ✗ | feedback:update |
| Delete feedback | ✓ | ✓ | ✗ | feedback:delete |
| Batch ingest feedback | ✓ | ✓ | ✗ | feedback:create |
| Create feedback ingest token | ✓ | ✓ | ✗ | feedback:create |
| List feedback ingest tokens | ✓ | ✓ | ✗ | feedback:create |
| Create feedback with token (no auth required) | ✓ | ✓ | ✓ | N/A (token-based) |
| List feedback configs | ✓ | ✓ | ✓ | feedback:read |
| Create feedback config | ✓ | ✓ | ✗ | feedback:create |
| Update feedback config | ✓ | ✓ | ✗ | feedback:update |
Annotation Queues
Human review queues for LLM outputs.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| List annotation queues | ✓ | ✓ | ✓ | annotation-queues:read |
| Get annotation queue | ✓ | ✓ | ✓ | annotation-queues:read |
| Create annotation queue | ✓ | ✓ | ✗ | annotation-queues:create |
| Update annotation queue | ✓ | ✓ | ✗ | annotation-queues:update |
| Delete annotation queue | ✓ | ✗ | ✗ | annotation-queues:delete |
| Populate annotation queue | ✓ | ✓ | ✗ | annotation-queues:update |
| Get runs from queue | ✓ | ✓ | ✓ | annotation-queues:read |
| Get run from queue (by index) | ✓ | ✓ | ✓ | annotation-queues:read |
| Get queues for run | ✓ | ✓ | ✓ | annotation-queues:read |
| Get queue total size | ✓ | ✓ | ✓ | annotation-queues:read |
| Get queue total archived | ✓ | ✓ | ✓ | annotation-queues:read |
| Get queue size | ✓ | ✓ | ✓ | annotation-queues:read |
| Add runs to queue | ✓ | ✓ | ✗ | annotation-queues:update |
| Update run in queue | ✓ | ✓ | ✗ | annotation-queues:update |
| Delete run from queue | ✓ | ✓ | ✗ | annotation-queues:update |
| Delete runs from queue (bulk) | ✓ | ✓ | ✗ | annotation-queues:update |
| Create identity annotation queue run status | ✓ | ✓ | ✗ | annotation-queues:update |
| Export archived runs | ✓ | ✓ | ✓ | annotation-queues:read |
Prompts
Prompt templates and chains in the LangChain Hub.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| List prompt repos | ✓ | ✓ | ✓ | prompts:read |
| View prompt repo | ✓ | ✓ | ✓ | prompts:read |
| Create prompt repo | ✓ | ✓ | ✗ | prompts:create |
| Fork prompt repo | ✓ | ✓ | ✗ | prompts:create |
| Update prompt repo | ✓ | ✓ | ✗ | prompts:update |
| Delete prompt repo | ✓ | ✓ | ✗ | prompts:delete |
| List commits | ✓ | ✓ | ✓ | prompts:read |
| View commit | ✓ | ✓ | ✓ | prompts:read |
| Push commit | ✓ | ✓ | ✗ | prompts:update |
| List repo tags | ✓ | ✓ | ✓ | prompts:read |
| Get all tags | ✓ | ✓ | ✓ | prompts:read |
| Create tag | ✓ | ✓ | ✗ | prompts:create |
| Update tag | ✓ | ✓ | ✗ | prompts:update |
| Delete tag | ✓ | ✓ | ✗ | prompts:delete |
| View events | ✓ | ✓ | ✓ | prompts:read |
| List comments | ✓ | ✓ | ✓ | prompts:read |
| Create comment | ✓ | ✓ | ✗ | prompts:read |
| Delete comment | ✓ | ✓ | ✗ | prompts:read |
| Toggle like | ✓ | ✓ | ✗ | prompts:read |
| Optimize prompt | ✓ | ✓ | ✗ | prompts:update |
| List optimization jobs | ✓ | ✓ | ✓ | prompts:read |
| Create optimization job | ✓ | ✓ | ✗ | prompts:create |
| Update optimization job | ✓ | ✓ | ✗ | prompts:update |
| Delete optimization job | ✓ | ✓ | ✗ | prompts:delete |
| Invoke prompt canvas | ✓ | ✓ | ✗ | prompts:update |
| List quick actions | ✓ | ✓ | ✓ | prompts:read |
| Create quick action | ✓ | ✓ | ✓ | prompts:read |
| Delete quick action | ✓ | ✓ | ✓ | prompts:read |
| Update quick action | ✓ | ✓ | ✓ | prompts:read |
Some prompt operations support public access for shared prompts.
Charts
Custom visualizations and dashboards.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| List charts | ✓ | ✓ | ✓ | charts:read |
| Get chart by ID | ✓ | ✓ | ✓ | charts:read |
| Create chart | ✓ | ✓ | ✗ | charts:create |
| Update chart | ✓ | ✓ | ✗ | charts:update |
| Delete chart | ✓ | ✓ | ✗ | charts:delete |
| Render chart | ✓ | ✓ | ✓ | charts:read |
| List chart sections | ✓ | ✓ | ✓ | charts:read |
| Get chart section by ID | ✓ | ✓ | ✓ | charts:read |
| Create chart section | ✓ | ✓ | ✗ | charts:create |
| Update chart section | ✓ | ✓ | ✗ | charts:update |
| Delete chart section | ✓ | ✓ | ✗ | charts:delete |
| Render chart section | ✓ | ✓ | ✓ | charts:read |
Deployments
LangSmith Deployment configurations.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| Create deployment | ✓ | ✓ | ✗ | deployments:create |
| View deployment | ✓ | ✓ | ✓ | deployments:read |
| Update deployment | ✓ | ✓ | ✗ | deployments:update |
| Delete deployment | ✓ | ✗ | ✗ | deployments:delete |
Workspace settings and management
| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| View workspace info | ✓ | ✓ | ✓ | workspaces:read |
| View workspace statistics | ✓ | ✓ | ✓ | workspaces:read |
| Update workspace (name, description) | ✓ | ✗ | ✗ | workspaces:manage |
| Delete workspace | ✓ | ✗ | ✗ | workspaces:manage |
| View workspace members | ✓ | ✓ | ✓ | workspaces:read |
| View active workspace members | ✓ | ✓ | ✓ | workspaces:read |
| View pending workspace members | ✓ | ✓ | ✓ | workspaces:read |
| Add member to workspace | ✓ | ✗ | ✗ | workspaces:manage |
| Add members (batch) | ✓ | ✗ | ✗ | workspaces:manage |
| Update workspace member role | ✓ | ✗ | ✗ | workspaces:manage |
| Remove workspace member | ✓ | ✗ | ✗ | workspaces:manage |
| Delete pending workspace member | ✓ | ✗ | ✗ | workspaces:manage |
| View usage limits | ✓ | ✓ | ✓ | workspaces:read |
| View shared entities | ✓ | ✓ | ✓ | workspaces:read |
| Bulk unshare entities | ✓ | ✗ | ✗ | workspaces:manage |
Tags
| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| List tag keys | ✓ | ✓ | ✓ | workspaces:read |
| Get tag key | ✓ | ✓ | ✓ | workspaces:read |
| Create tag key | ✓ | ✗ | ✗ | workspaces:manage |
| Update tag key | ✓ | ✗ | ✗ | workspaces:manage |
| Delete tag key | ✓ | ✗ | ✗ | workspaces:manage |
| List tag values | ✓ | ✓ | ✓ | workspaces:read |
| Get tag value | ✓ | ✓ | ✓ | workspaces:read |
| Create tag value | ✓ | ✗ | ✗ | workspaces:manage |
| Update tag value | ✓ | ✗ | ✗ | workspaces:manage |
| Delete tag value | ✓ | ✗ | ✗ | workspaces:manage |
| List tags | ✓ | ✓ | ✓ | workspaces:read |
| List tags for resource | ✓ | ✓ | ✓ | workspaces:read |
| List tags for resources (batch) | ✓ | ✓ | ✓ | workspaces:read |
| List taggings | ✓ | ✓ | ✓ | workspaces:read |
| Create tagging | ✓ | ✗ | ✗ | workspaces:manage |
| Delete tagging | ✓ | ✗ | ✗ | workspaces:manage |
Bulk exports
| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| List bulk exports | ✓ | ✓ | ✓ | workspaces:read |
| Get bulk export | ✓ | ✓ | ✓ | workspaces:read |
| Create bulk export | ✓ | ✗ | ✗ | workspaces:manage |
| Cancel bulk export | ✓ | ✗ | ✗ | workspaces:manage |
| Get bulk export destinations | ✓ | ✓ | ✓ | workspaces:read |
| Get bulk export destination | ✓ | ✓ | ✓ | workspaces:read |
| Create bulk export destination | ✓ | ✗ | ✗ | workspaces:manage |
| Get filtered export runs | ✓ | ✓ | ✓ | workspaces:read |
MCP servers
Model Context Protocol servers for extended functionality.| Operation | Workspace Admin | Workspace Editor | Workspace Viewer | Required Permission |
|---|---|---|---|---|
| List MCP servers | ✓ | ✓ | ✓ | workspaces:read |
| Get MCP server | ✓ | ✓ | ✓ | workspaces:read |
| Create MCP server | ✓ | ✓ | ✓ | workspaces:read |
| Update MCP server | ✓ | ✓ | ✓ | workspaces:read |
| Delete MCP server | ✓ | ✓ | ✓ | workspaces:read |
User-level operations
These operations are available to all authenticated users and don’t require specific workspace or organization permissions:- View own user profile
- Update own user profile
- List organizations for user
- Create new organization
- List pending workspace invites
- Delete pending workspace invite
- Claim pending workspace invite
- List pending organization invites
- Delete pending organization invite
- Claim pending organization invite
Permission inheritance
Organization to workspace
- Organization Admin automatically has full permissions in all workspaces.
- Organization User and Organization Viewer only get workspace access when explicitly added to workspaces with workspace-level roles.
Workspace role independence
- Users can have different workspace roles in different workspaces.
- A user might be a Workspace Admin in one workspace and a Workspace Viewer in another.