Skip to main content
RBAC is gradually being rolled out to our Enterprise customers. If you have an Enterprise subscription with Relevance AI and do not have access to this feature yet, please reach out to your sales representative to share your interest in this feature.You will not be able to access this feature if you are not on an Enterprise subscription.
Role-based access controls (RBAC) in Relevance AI is a security and governance feature that allows organizations to manage user access based on predefined roles and responsibilities. It ensures that individuals only have access to the data, tools, and platform functions necessary for their role, supporting operational control, collaboration, and compliance across teams. These new controls are designed to enhance security for our Enterprise clients by providing granular permissions at different levels. There are three main levels: org-level roles (Owner, Admin, Member, Viewer), project-level roles (Admin, Editor, Member, Chat, Viewer), and asset-level roles (Admin, Member, Viewer). Each role has specific permissions that dictate what users can do within the platform, such as managing credits, using agents, accessing integrations, and using Chat. This means you can tailor access based on the needs of your team, ensuring that sensitive information and functionalities are only available to those who need them.

Best Practices

Keep permissions simple. Assign roles based on who needs to build, who needs to view, who needs to chat, and who needs to govern.

Organization Level

  • Owners — have full control including billing and can delete the organization. Assign to 1-2 people maximum (CEO, CTO, or Head of Operations). Owners have all Admin permissions plus billing control.
  • Admins — set up and manage teams, projects, and authentication. Usually your workspace or IT leads.
  • Members — can only access projects they’re assigned to. Cannot create projects at the organization level. Asset creation within projects is controlled by project-level permissions. Best for users who need access to specific projects but shouldn’t manage organization-wide settings.
  • Viewers — view-only access to audit logs, usage data, and compliance reports. Use this for stakeholders who need visibility without operational access.

Project Level

RoleWhen to use it
AdminsOwn the project setup and governance. They control permissions and authentication accounts.
EditorsBuild, edit, and run all assets in the project. Treat them as your core contributors.
MembersCan build their own assets but don’t automatically see or edit others’. Best for independent work within shared projects.
ChatAccess Relevance Chat only, cannot access the web app. Requires asset-level permissions to run agents.
ViewersCan’t build or edit. Add them only to the specific assets they need to see.
Keep admin/editor access limited to people actively managing or building. Everyone else should be a member or viewer by default.

Asset Level

  • Project admins and editors automatically have full control.
  • Members can run assets but can’t modify them unless granted edit rights.
  • Viewers can only see results or outputs — they can’t run or trigger anything.
Default to least privilege. Grant edit rights intentionally, not by habit.

Organization level controls

New organization members will be given viewer permissions by default. If invited, their role will be selected during invite.

Roles

RoleCapabilities
OwnerFull control of organization, billing, security, users and all projects
AdminManage users, projects, organization-level API keys and OAuths
MemberAccess only assigned projects. Cannot create projects at organization level. Asset creation within projects is controlled by project-level permissions.
ViewerView-only access to agent and tool audit logs, usage data and compliance reports

Permissions

PermissionOwnerAdminMemberViewer
Manage billing
Manage organization settings (name, logo, domain etc.)
Manage organization users
Manage API keys & OAuths (Org-level connections)
View global audit logs
View all projects and agents
Delete any asset
Edit project roles
View credit information
Create projects
View organization members / admins

Project level controls

Project admins will be able to set a users role upon invite. Organization admins can also set this for any project.

Roles

RoleCapabilities
AdminManage users, agents, tools, knowledge and project-level integrations. Can create assets
EditorCan edit and create assets, does not manage users
MemberUse shared assets, provide inputs and view outputs. Can create assets, private by default.
ChatAccess Relevance Chat only - cannot access the web app. Requires asset-level permissions to run agents.
ViewerView agents, tools, and knowledge outputs only, cannot run or edit anything
Editor is a project-level role only and does not exist at organization or asset levels. Project Editors automatically have Admin permissions on all assets within the project.

Permissions

Scroll horizontally to view all columns, including the Chat role permissions.
PermissionAdminEditorMemberViewerChat
Delete project
Assign project roles to users
Manage project-level API keys & OAuths
Add personal OAuth accounts (dynamic auth)
Delete agents
View all assets by default
Edit/run assets they did not create
View project activity logs
Manage personal Relevance API key
Create assets
View Project
Access Web App
Run a chat (LLM)
Project Viewer access grants read-only visibility to full asset configurations — including prompts, tools, and steps. There is no field-level redaction. If a Viewer cannot see an agent’s internals, it’s because they lack asset-level access entirely, not because their read access is limited to metadata.
“Manage project-level API keys & OAuths” refers to shared, project-wide accounts only. All team members can add their own personal OAuth accounts when dynamic authentication is enabled on a shared agent — this is not restricted to admins.

Chat Role Details

The Chat role is a new feature being gradually rolled out to Enterprise customers. If you have an Enterprise subscription with Relevance AI and do not have access to this feature yet, please reach out to your sales representative to share your interest in this feature.
The Chat role is designed for users who only need to interact with AI agents through Relevance Chat without accessing the main web application. Key characteristics:
Chat role users can only see and run agents they have Member or higher permissions on. They won’t be able to see any other agents in Chat. This allows you to control exactly which agents each Chat user can access by assigning asset-level permissions.
Users with this role are automatically redirected to Chat and cannot access the web app.
Cannot create new agents, tools, or knowledge bases.
Can have conversations with LLMs and in-built Chat Agents directly without agents.
Can trigger Chat and interact with agents (with proper asset permissions).
Cannot create assets or access the web app.
This role is ideal for end users, external collaborators, or team members who only need to use pre-built agents through the chat interface.

Asset level controls

An asset is an Agent, Tool, Knowledge or Workforce. Upon asset creation, the creator becomes the admin. An asset can have multiple admins (project admin is by default).

Roles

RoleCapabilities
AdminManage asset configuration, tools, knowledge and assign asset-level users
MemberUse asset only, provide inputs and view outputs
ViewerView asset configuration and outputs only, cannot run or edit anything

Permissions

PermissionAdminMemberViewer
Edit asset
Delete asset
Assign roles on asset
Assign auth per tool
Enable cloning/sharing of asset
Create tasks on asset
View asset configuration
View asset outputs
View asset audit logs
Asset Viewer access grants read-only visibility to full asset configurations — including prompts, tools, and steps. There is no field-level redaction. If a Viewer cannot see an agent’s internals, it’s because they lack asset-level access entirely, not because their read access is limited to metadata.
Adding someone as a Member on an agent does not give them access to the agent’s tools. If a tool is set to Only invited, you must also add that person as a Member on each of those tools, otherwise the tool is silently dropped when they run the agent.

Workforce Permissions

Workforces are treated as first-class assets in the RBAC system. However, running a workforce requires permissions at two levels:
  1. Workforce permission - The user must have at least Member (run) access to the workforce itself
  2. Agent permissions - The user must have at least Member (run) access to each agent used within the workforce
This means when sharing a workforce, you must:
  • Share the workforce with the user at the desired permission level
  • Share each agent in the workforce at a matching (or higher) permission level

Example scenarios

GoalWorkforce RoleAgent Roles
User can run workforceMemberMember on all agents
User can edit workforceAdminAdmin on all agents
User can view but not runViewerViewer on all agents
Note: If a user has run access to a workforce but lacks permissions on one or more agents, they will see a “Cannot run agent” warning in the workforce builder and will be unable to execute the workflow.
Learn more about sharing workforces as cloneable templates.

Transitioning to RBAC

If your organization is being migrated from legacy permissions to RBAC, this section covers what changes, what stays the same, and what actions you need to take.

Before RBAC (legacy permissions)

The legacy permission system had three roles — Admin, Editor, and Viewer — applied at the project and organization level only:

Admin

Full read and write access to all assets and settings.

Editor

Read and write access to all datasets, knowledge sets, and agents. Could run agents and tools.

Viewer

Read access to all datasets, knowledge sets, and agents. Could run agents.
There was no asset-level granularity. All users with a given role had the same access to every asset in the project by default. Shared credentials (API keys, OAuths) applied project-wide.

During the migration

The Relevance AI team handles the technical migration to RBAC. You do not need to manually migrate roles, but you should review and adjust assignments after migration is complete. How legacy roles map to RBAC roles by default:
Legacy roleDefault RBAC role (project level)
AdminAdmin
EditorEditor
ViewerViewer
The Viewer role changes significantly under RBAC. Legacy Viewers could run agents — RBAC Viewers cannot run anything and can only view assets they have been explicitly granted access to. Users who only need to interact with agents via chat should be assigned the Chat role, not Viewer.
After migration, review every user mapped to Viewer and determine whether they should be:
  • Chat — for users who only need to use agents through Relevance Chat
  • Viewer — for users who genuinely only need read access to asset configurations and outputs
  • Member — for users who need to run agents

After RBAC is enabled

Once RBAC is active for your organization:
Access to individual agents, tools, and knowledge bases is controlled separately from project-level roles.
Project Admin and Editor roles cascade to asset Admin on every asset in the project automatically.
Members, Viewers, and Chat users receive a 403 error on any asset they have not been granted access to.
Instead of one set of project-wide credentials, asset admins can assign specific authentication accounts per tool.
Assign access on each individual agent, tool, or knowledge base from its Share modal.

Action items for admins

After RBAC is enabled, complete these steps to restore appropriate access for your team:
1

Review user roles immediately

Check that the default role mappings match your intended access levels, particularly for legacy Viewer accounts.
2

Assign asset-level permissions

Use the Share modal on each agent, tool, and knowledge base that non-Admin/Editor users need to access.
3

Use RBAC Groups for bulk assignment

If many users need the same access, create a group and assign asset permissions to the group rather than to individual users.
4

Audit chat-only users

Confirm that users who only need Relevance Chat access are assigned the Chat project role, not Viewer.
5

Verify critical users can access required assets

Test access for key team members, especially those with Member or Viewer roles, before announcing the migration is complete.

Permission inheritance and cascading

Project roles fall into two groups: those that cascade Admin access to every asset automatically, and those that start with no asset access until it is explicitly granted.

Cascades to asset Admin

Admin and Editor automatically receive Admin access on every asset in the project — no per-asset setup required.

Starts with no access

Member, Viewer, and Chat receive nothing by default. Each asset must be shared with them explicitly, or they get a 403 error.
To grant access at scale, assign asset permissions to an RBAC Group rather than to each user individually.

Technical implementation notes

The following is relevant primarily for API users and developers integrating directly with the authorization system.
The “Member” role label in the UI maps to the operator role in the authorization system. When querying permissions via the API, use operator rather than member.

Frequently asked questions (FAQs)

No. This feature is available for Enterprise subscriptions only.
This feature is gradually being rolled out to Enterprise customers. Please reach out to your sales representative to express your interest in receiving this feature.
To limit a user to only access Relevance Chat, assign them the Chat role at the project level. Users with the Chat role are automatically redirected to Chat and cannot access the main web application. They can still interact with agents and have LLM conversations, but will need appropriate asset-level permissions (Member or higher) on specific agents to run them in Chat.
Yes, assigning a user the Asset Member role for a specific agent allows them to create tasks on the agent, approve/reject escalations, and view outputs, but not edit or delete the agent’s configuration.