Enhancing security, collaboration, and control for Enterprise teams
RBAC is gradually being rolled out to our Enterprise customers. If you have an Enterprise subscription with Relevance AI and do not have access to this feature yet, please reach out to your sales representative to share your interest in this feature.You will not be able to access this feature if you are not on an Enterprise subscription.
Role-based access controls (RBAC) in Relevance AI is a security and governance feature that allows organizations to manage user access based on predefined roles and responsibilities. It ensures that individuals only have access to the data, tools, and platform functions necessary for their role, supporting operational control, collaboration, and compliance across teams.These new controls are designed to enhance security for our Enterprise clients by providing granular permissions at different levels.There are three main levels: org-level roles (Owner, Admin, Member, Viewer), project-level roles (Admin, Editor, Member, Chat, Viewer), and asset-level roles (Admin, Member, Viewer).Each role has specific permissions that dictate what users can do within the platform, such as managing credits, using agents, accessing integrations, and using Chat.This means you can tailor access based on the needs of your team, ensuring that sensitive information and functionalities are only available to those who need them.
Owners — have full control including billing and can delete the organization. Assign to 1-2 people maximum (CEO, CTO, or Head of Operations). Owners have all Admin permissions plus billing control.
Admins — set up and manage teams, projects, and authentication. Usually your workspace or IT leads.
Members — can only access projects they’re assigned to. Cannot create projects at the organization level. Asset creation within projects is controlled by project-level permissions. Best for users who need access to specific projects but shouldn’t manage organization-wide settings.
Viewers — view-only access to audit logs, usage data, and compliance reports. Use this for stakeholders who need visibility without operational access.
Full control of organization, billing, security, users and all projects
Admin
Manage users, projects, organization-level API keys and OAuths
Member
Access only assigned projects. Cannot create projects at organization level. Asset creation within projects is controlled by project-level permissions.
Viewer
View-only access to agent and tool audit logs, usage data and compliance reports
If your only org Admin becomes unavailable, no one else can manage members, organization settings, org-level API keys and OAuth connections, or project roles. Assign the Admin role to more than one person so access isn’t lost if someone leaves or needs to hand over control.
Manage users, agents, tools, knowledge and project-level integrations. Can create assets
Editor
Can edit and create assets, does not manage users
Member
Use shared assets, provide inputs and view outputs. Can create assets, private by default.
Chat
Access Relevance Chat only - cannot access the web app. Requires asset-level permissions to run agents.
Viewer
View agents, tools, and knowledge outputs only, cannot run or edit anything
Editor is a project-level role only and does not exist at organization or asset levels. Project Editors automatically have Admin permissions on all assets within the project.
Scroll horizontally to view all columns, including the Chat role permissions.
Permission
Admin
Editor
Member
Viewer
Chat
Delete project
✅
❌
❌
❌
❌
Assign project roles to users
✅
❌
❌
❌
❌
Manage project-level API keys & OAuths
✅
❌
❌
❌
❌
Add personal OAuth accounts (dynamic auth)
✅
✅
✅
✅
✅
Delete agents
✅
✅
❌
❌
❌
View all assets by default
✅
✅
❌
❌
❌
Edit/run assets they did not create
✅
✅
❌
❌
❌
View project activity logs
✅
✅
❌
❌
❌
Manage personal Relevance API key
✅
✅
✅
❌
❌
Create assets
✅
✅
✅
❌
❌
View Project
✅
✅
✅
✅
❌
Access Web App
✅
✅
✅
✅
❌
Run a chat (LLM)
✅
✅
✅
✅
✅
Project Viewer access grants read-only visibility to full asset configurations — including prompts, tools, and steps. There is no field-level redaction. If a Viewer cannot see an agent’s internals, it’s because they lack asset-level access entirely, not because their read access is limited to metadata.
“Manage project-level API keys & OAuths” refers to shared, project-wide accounts only. All team members can add their own personal OAuth accounts when dynamic authentication is enabled on a shared agent — this is not restricted to admins.
The Chat role is a new feature being gradually rolled out to Enterprise customers. If you have an Enterprise subscription with Relevance AI and do not have access to this feature yet, please reach out to your sales representative to share your interest in this feature.
The Chat role is designed for users who only need to interact with AI agents through Relevance Chat without accessing the main web application. Key characteristics:
Controlled agent visibility
Chat role users can only see and run agents they have Member or higher permissions on. They won’t be able to see any other agents in Chat. This allows you to control exactly which agents each Chat user can access by assigning asset-level permissions.
Chat-only access
Users with this role are automatically redirected to Chat and cannot access the web app.
No asset creation
Cannot create new agents, tools, or knowledge bases.
LLM conversations
Can have conversations with LLMs and in-built Chat Agents directly without agents.
More powerful than Viewer
Can trigger Chat and interact with agents (with proper asset permissions).
Less powerful than Member
Cannot create assets or access the web app.
This role is ideal for end users, external collaborators, or team members who only need to use pre-built agents through the chat interface.
An asset is an Agent, Tool, Knowledge or Workforce.Upon asset creation, the creator becomes the admin. An asset can have multiple admins (project admin is by default).
Asset Viewer access grants read-only visibility to full asset configurations — including prompts, tools, and steps. There is no field-level redaction. If a Viewer cannot see an agent’s internals, it’s because they lack asset-level access entirely, not because their read access is limited to metadata.
Adding someone as a Member on an agent does not give them access to the agent’s tools. If a tool is set to Only invited, you must also add that person as a Member on each of those tools, otherwise the tool is silently dropped when they run the agent.
Note: If a user has run access to a workforce but lacks permissions on one or more agents, they will see a “Cannot run agent” warning in the workforce builder and will be unable to execute the workflow.
If your organization is being migrated from legacy permissions to RBAC, this section covers what changes, what stays the same, and what actions you need to take.
The legacy permission system had three roles — Admin, Editor, and Viewer — applied at the project and organization level only:
Admin
Full read and write access to all assets and settings.
Editor
Read and write access to all datasets, knowledge sets, and agents. Could run agents and tools.
Viewer
Read access to all datasets, knowledge sets, and agents. Could run agents.
There was no asset-level granularity. All users with a given role had the same access to every asset in the project by default. Shared credentials (API keys, OAuths) applied project-wide.
The Relevance AI team handles the technical migration to RBAC. You do not need to manually migrate roles, but you should review and adjust assignments after migration is complete.How legacy roles map to RBAC roles by default:
Legacy role
Default RBAC role (project level)
Admin
Admin
Editor
Editor
Viewer
Viewer
The Viewer role changes significantly under RBAC. Legacy Viewers could run agents — RBAC Viewers cannot run anything and can only view assets they have been explicitly granted access to. Users who only need to interact with agents via chat should be assigned the Chat role, not Viewer.
After migration, review every user mapped to Viewer and determine whether they should be:
Chat — for users who only need to use agents through Relevance Chat
Viewer — for users who genuinely only need read access to asset configurations and outputs
Project roles fall into two groups: those that cascade Admin access to every asset automatically, and those that start with no asset access until it is explicitly granted.
Cascades to asset Admin
Admin and Editor automatically receive Admin access on every asset in the project — no per-asset setup required.
Starts with no access
Member, Viewer, and Chat receive nothing by default. Each asset must be shared with them explicitly, or they get a 403 error.
To grant access at scale, assign asset permissions to an RBAC Group rather than to each user individually.
The following is relevant primarily for API users and developers integrating directly with the authorization system.
Member/Operator
OpenFGA
Embeddable agents
The “Member” role label in the UI maps to the operator role in the authorization system. When querying permissions via the API, use operator rather than member.
The platform uses OpenFGA for authorization. Organizations not yet migrated to RBAC are still served by a legacy authorization layer.
Agents shared via public embed links (Chat UI, Chat Widget) may use the legacy authorization layer. Test permissions explicitly when deploying embedded agents.
Can I access role-based access controls without upgrading to Enterprise?
No. This feature is available for Enterprise subscriptions only.
I'm on an Enterprise subscription but do not have access to this feature yet. How do I get access?
This feature is gradually being rolled out to Enterprise customers. Please reach out to your sales representative to express your interest in receiving this feature.
How do I limit someone to only access Chat?
To limit a user to only access Relevance Chat, assign them the Chat role at the project level. Users with the Chat role are automatically redirected to Chat and cannot access the main web application. They can still interact with agents and have LLM conversations, but will need appropriate asset-level permissions (Member or higher) on specific agents to run them in Chat.
Is there a role that allows a user to approve escalations or interact with agent tasks, but not edit the agent?
Yes, assigning a user the Asset Member role for a specific agent allows them to create tasks on the agent, approve/reject escalations, and view outputs, but not edit or delete the agent’s configuration.
How many organization admins should I have?
At least two. Besides the Owner, Admin is the only organization role that can manage users, settings, API keys, and project roles, so a single Admin is a continuity risk if they leave or are unavailable. Keeping two or more preserves access while still maintaining clear accountability.