- Which system roles can perform each operation.
- The specific permission string required.
- Notes about partial access or special cases.
For an overview of LangSmith’s RBAC system, role definitions, and permission concepts, refer to Role-based access control.
Contents
Additional information:
- User-level operations: Operations for all authenticated users
- Permission inheritance: How roles inherit across org/workspaces
Legend
- ✓ Allowed: User with this role can perform this action
- ✗ Not Allowed: User with this role cannot perform this action
- ⚠ Partial: User has limited access (see notes)
Organization-level operations
Organization-level operations are controlled by organization roles, which are separate from the RBAC feature. Learn more in the Role-based access control guide.
Organization settings
Workspaces
Organization-level workspace management operations.Organization members
Roles and permissions
SSO and authentication
SCIM
System for Cross-domain Identity Management for user provisioning.Access policies
Attribute-based access control (ABAC) policies for fine-grained permissions.Billing and payments
API keys
* Organization Operators and Organization Users can create workspace-scoped service keys only for workspaces where they are a Workspace Admin. Org-wide service keys require the Organization Admin role.
Organization charts and dashboards
Usage and analytics
Workspace-level operations
These operations are controlled by workspace-level roles and permissions.Projects
Projects organize traces and runs from your LLM applications.*
projects:increase-trace-tier and projects:decrease-trace-tier are independent and can be granted separately in custom roles. For example, you can allow a role to decrease retention without allowing it to increase retention. If a user lacks both permissions, the retention settings UI is hidden entirely. If they have only one, the UI is partially enabled (the disallowed direction is disabled).Runs
Individual execution traces and spans from your LLM applications.Rules
Automated run rules that trigger actions based on run conditions.Alerts
Alert rules for monitoring run conditions.Datasets
Test datasets with examples for evaluation.Workspace Editors have partial access because they cannot create projects, which limits their ability to create new experiments.
Examples
Individual examples within datasets.Experiments
Comparative experiments for evaluating LLM outputs.Workspace Editors have partial access because they cannot create projects, which limits their ability to create new experiments.
Feedback
Scores, labels, and corrections on LLM outputs.Annotation queues
Human review queues for LLM outputs.Prompts
Prompt templates and chains in the LangChain Hub.Some prompt operations support public access for shared prompts.
Charts
Custom visualizations and dashboards.Deployments
LangSmith Deployment configurations.Workspace settings and management
Tags
Bulk exports
MCP servers
Model Context Protocol servers for extended functionality.Fleet
Fleet workspace administration operations.User-level operations
These operations are available to all authenticated users and don’t require specific workspace or organization permissions:- View own user profile
- Update own user profile
- List organizations for user
- Create new organization
- List pending workspace invites
- Delete pending workspace invite
- Claim pending workspace invite
- List pending organization invites
- Delete pending organization invite
- Claim pending organization invite
Permission inheritance
Organization to workspace
- Organization Admin automatically has full permissions in all workspaces.
- Organization Operator only gets workspace access when explicitly added to workspaces with workspace-level roles (or to workspaces they create).
- Organization User and Organization Viewer only get workspace access when explicitly added to workspaces with workspace-level roles.
Workspace role independence
- Users can have different workspace roles in different workspaces.
- A user might be a Workspace Admin in one workspace and a Workspace Viewer in another.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

