Roles & Permissions

Roles and permissions let you control what each team member can do at the organization level—across projects, billing, SSO, and other org-wide settings.

Default Roles

Every organization comes with three preset roles. Each preset role includes all organization permissions unless noted otherwise.

Owner

Full access to all resources in the organization, including transferring ownership and removing any member. No permission exclusions.

Admin

Includes all permissions. Admins can do everything an Owner can except remove an Owner or transfer ownership to themselves.

Member

Includes everything except project:manage, organization:manage, featureAccess:manage, sso:manage, apiKey:manage, user:manage, user:delete, billing:manage, modelCredential:manage, modelCost:manage, metric:manage, retentionConfig:manage, and iam:manage. Members have read access to these areas but cannot change org-wide settings, manage or remove users, or manage roles and policies.

Bypass Project Permissions

The organization permission project:manage gives unrestricted project access and controls two important behaviors:

1. Seeing all projects — Users with project:manage can see every project in the organization in the organization projects list. Users without it only see projects they are explicitly members of.
2. Bypassing project-level checks — When accessing a project, users with project:manage at the organization level bypass that project’s role-based permissions. They effectively have full access to the project regardless of their project role. This is how Owners and Admins can access and manage any project in the org.

Owners and Admins have project:manage by default. Members do not; custom roles can include or exclude it as needed.

Custom Roles

You can create custom roles to fit your organization’s needs. To create a new role:

1. Navigate to Organization Settings → Roles & Permissions
2. Click New Role
3. Enter a name and description for the role
4. Assign a policy to the role
5. Click Save

Custom Policies

Policies define the specific permissions a role has. Each permission controls access to a particular action at the organization level.

To create a custom policy:

1. Navigate to Organization Settings → Roles & Permissions
2. Scroll to Custom Policies and click New Policy
3. Enter a name for the policy
4. Select the permissions you want to include
5. Click Save

Once created, you can assign your custom policy to any role.

Permission Syntax

Organization permissions follow the same resource:action format as project permissions. For example, billing:read grants read access to billing info, while user:manage allows managing organization users.

Actions:

• read — View resources or settings
• manage — Create, update, or configure (varies by resource)
• create — Create new resources (used for project)
• delete — Remove resources or users (used for user)

Permission resources (organization):

• project — Create projects; project:manage also controls visibility of all projects and bypassing project-level permissions (see above)
• organization — Organization settings and metadata
• featureAccess — Feature flags and plan-based access
• sso — SSO providers and configuration
• apiKey — Organization API keys
• user — Organization user management; user:manage controls assigning roles to users, while user:delete controls removing users from the organization
• billing — Billing and subscription
• modelCredential, modelCost, metric — Org-level model credentials, costs, and metrics
• retentionConfig — Data retention settings for traces, spans, test runs, datasets, and prompts (how long each is kept)
• iam — Organization roles and policies

Not every resource has every action. You can see the full list of permissions on the Roles & Permissions page in Organization Settings.