InfracodebaseInfracodebase

Roles

Roles define what members can do within your enterprise and its workspaces. In addition to the built-in roles, you can create custom roles with granular permissions tailored to how your organization operates.

Built-in roles

Four roles are available by default.

Owner has full control over the enterprise including billing, member management, and all settings.

Admin can manage enterprise settings, invite and remove members, change roles, and create workspaces. Admins cannot manage billing or other Owners.

Editor can create workspaces and collaborate on workspaces they are added to. Editors cannot manage enterprise settings or members.

Viewer has read-only access across the enterprise.

These roles cover common access patterns, but many organizations need something more specific.

Custom roles

Custom roles let you define exactly what a member can and cannot do. Instead of fitting everyone into one of four categories, you can create roles that match the way your teams actually work.

To create a custom role, go to your enterprise settings and navigate to the Roles section. Give the role a name, a description, and then select the permissions it should have.

Custom roles appear alongside built-in roles when you invite members or change someone's role. They work the same way everywhere, at both the enterprise and workspace level.

Granular permissions

Permissions are the individual capabilities that make up a role. Rather than granting broad access through a role like Admin or Editor, granular permissions let you control access to specific actions.

Permissions are grouped by area.

  • Enterprise management covers settings, billing, and member administration
  • Workspace management covers creating, configuring, and deleting workspaces
  • Agent configuration covers tools, rulesets, models, and agent behavior
  • Content covers files, code editing, and conversation access
  • Integrations covers GitHub connections and third-party services

When building a custom role, you select the specific permissions that role should have. A role can have any combination of permissions, so you can create roles as broad or as narrow as you need.

For example, you might create a "Security Reviewer" role that can view all workspaces and manage rulesets but cannot edit files or change enterprise settings. Or a "Tool Administrator" role that can configure MCP servers and manage secrets but has no access to billing or member management.

Assigning roles

Roles are assigned when you invite a member or from the People page in your enterprise settings. Each member has one role at the enterprise level. At the workspace level, members can be assigned a different role that applies only within that workspace.

Workspace roles follow the same permission model. If you have created custom roles, they are available for workspace-level assignment as well.

Best practices

  • Start with built-in roles and create custom roles when you find that the defaults do not match your access requirements
  • Name roles after their function, not after teams or individuals. "Security Reviewer" is more durable than "Sarah's Role"
  • Keep the number of custom roles manageable. A handful of well-defined roles is easier to maintain than dozens of highly specific ones
  • Review permissions periodically as your organization's needs change
Enterprise Configuration
Compliance
Enterprise Configuration
People & Teams