Skip to main content
This page provides a comprehensive reference table of workspace and organization operations and which roles can perform them. The list includes API operations in LangSmith along with:
  • Which system roles can perform each operation.
  • The specific permission string required.
  • Notes about partial access or special cases.
For an overview of LangSmith’s RBAC system, role definitions, and permission concepts, refer to Role-based access control.

Contents

Additional information:

Legend

  • Allowed: User with this role can perform this action
  • Not Allowed: User with this role cannot perform this action
  • Partial: User has limited access (see notes)

Organization-level operations

Organization-level operations are controlled by organization roles, which are separate from the RBAC feature. Learn more in the Role-based access control guide.

Organization settings

Workspaces

Organization-level workspace management operations.

Organization members

Roles and permissions

SSO and authentication

SCIM

System for Cross-domain Identity Management for user provisioning.

Access policies

Attribute-based access control (ABAC) policies for fine-grained permissions.

Billing and payments

API keys

* Organization Operators and Organization Users can create workspace-scoped service keys only for workspaces where they are a Workspace Admin. Org-wide service keys require the Organization Admin role.

Organization charts and dashboards

Usage and analytics

Workspace-level operations

These operations are controlled by workspace-level roles and permissions.
To understand what each role means and their overall capabilities, refer to the Role-based access control guide.

Projects

Projects organize traces and runs from your LLM applications.
* projects:increase-trace-tier and projects:decrease-trace-tier are independent and can be granted separately in custom roles. For example, you can allow a role to decrease retention without allowing it to increase retention. If a user lacks both permissions, the retention settings UI is hidden entirely. If they have only one, the UI is partially enabled (the disallowed direction is disabled).

Runs

Individual execution traces and spans from your LLM applications.

Rules

Automated run rules that trigger actions based on run conditions.

Alerts

Alert rules for monitoring run conditions.

Datasets

Test datasets with examples for evaluation.
Workspace Editors have partial access because they cannot create projects, which limits their ability to create new experiments.

Examples

Individual examples within datasets.

Experiments

Comparative experiments for evaluating LLM outputs.
Workspace Editors have partial access because they cannot create projects, which limits their ability to create new experiments.

Feedback

Scores, labels, and corrections on LLM outputs.

Annotation queues

Human review queues for LLM outputs.

Prompts

Prompt templates and chains in the LangChain Hub.
Some prompt operations support public access for shared prompts.

Charts

Custom visualizations and dashboards.

Deployments

LangSmith Deployment configurations.

Workspace settings and management

Tags

Bulk exports

bulk-exports:read and bulk-exports:manage are dedicated permissions that allow you to grant export access via a custom role without granting the broader workspaces:manage scope. This is useful for security-team service keys that need to export traces but should not be able to manage workspaces, members, or secrets.

MCP servers

Model Context Protocol servers for extended functionality.

Fleet

Fleet workspace administration operations.

User-level operations

These operations are available to all authenticated users and don’t require specific workspace or organization permissions:
  • View own user profile
  • Update own user profile
  • List organizations for user
  • Create new organization
  • List pending workspace invites
  • Delete pending workspace invite
  • Claim pending workspace invite
  • List pending organization invites
  • Delete pending organization invite
  • Claim pending organization invite

Permission inheritance

Organization to workspace

For detailed role definitions, refer to Organization roles and Workspace roles.

Workspace role independence