Roles
Create custom roles with fine-grained permission scopes to control exactly what each admin user can see and do.
What you can do here
- View built-in role templates and the scopes they include
- Create custom roles with any combination of permission scopes
- Edit or delete custom roles
- Assign roles to admin users from the Admin Users page
Built-in role templates
The following predefined roles are available in every organization. They are read-only and cannot be modified.
| Role | Included permissions |
|---|---|
| Owner | All permissions (full access) |
| Security Admin | View and manage monitoring, security, guards, and AI discovery |
| IT Admin | Full access to integrations, toolkits, skills, plugins, users, groups, and machine users |
| Read Only | View access to all resources — no create, edit, or delete |
Permission scopes
When creating a custom role, you select permissions from the following categories:
| Category | Available actions |
|---|---|
| Integrations (MCPs) | View, Create, Edit, Delete, Publish |
| Toolkits | View, Create, Edit, Delete, Publish |
| Skills | View, Create, Edit, Delete, Publish |
| Commands | View, Create, Edit, Delete |
| Rules | View, Create, Edit, Delete |
| Hooks | View, Create, Edit, Delete |
| Plugins | View, Create, Edit, Delete |
| Guards | View, Create, Edit, Delete |
| End Users | View, Invite, Edit, Delete |
| Admin Users | View, Invite, Edit, Delete, Manage Roles |
| Organization | View Settings, Edit Settings, Billing |
| Groups | View, Create, Edit, Delete |
| Monitoring & Shadow AI | View, Manage |
| Audit | View Logs |
Manage Roles permission
The Manage Roles permission (under Admin Users) is required to create, edit, or delete custom roles and to change another admin's role assignment.
Create a custom role
- Click New Role.
- Enter a name and optional description.
- Select the permission scopes this role should have.
- Click Create Role.
New custom roles appear in the role selector when inviting or editing an admin user.
Edit or delete a role
Click on a custom role in the list to edit its name, description, or scopes. Deleting a role does not remove admin users who hold it — they fall back to no custom role assignment.