Skip to main content
HoneyHive uses role-based access control (RBAC) to manage permissions across your organization hierarchy. Roles are assigned independently at each scope level — giving you fine-grained control over who can access and modify resources.

Key Benefits

  • Scope-level control — assign different roles to the same user across different workspaces and projects
  • Least privilege by default — members get minimal permissions; admins explicitly grant access
  • Custom role definitions — define custom roles with granular permissions (Enterprise plan)
  • Independent scopes — permissions at one level do not automatically cascade to child levels

How Access Is Evaluated

HoneyHive uses a dual-control model to evaluate access. Both conditions must be met for a user to access any workspace, project, or data plane:
  1. Membership — the user must be explicitly added to the scope (via invite or auto-assignment).
  2. Role with permissions — the user must hold a role that grants the required permissions in that scope.
Neither condition alone is sufficient:
  • A user who has been invited to a project but holds no role in it will have no permissions.
  • A user who holds a role at a scope level but has not been added to a specific instance of that scope cannot access it.
At login, HoneyHive builds each user’s effective permissions by combining their memberships with their role assignments. For each scope where the user has a membership with roles, the platform aggregates the permissions granted by those roles into a consolidated permission set. Permissions are checked on every request.

Default Roles

HoneyHive ships with default roles at each scope level. Each role defines a set of permissions for that scope.

Organization Roles

RoleDescription
Org AdminFull control over the organization: manage members, workspaces, roles, API keys, and organization settings. Assigned automatically to the organization creator.
Org MemberCan view organization members and join workspaces they are invited to. Assigned automatically when a user is invited to the organization or joins via email domain.

Workspace Roles

RoleDescription
Workspace AdminFull control over the workspace: manage members, projects, AI provider keys, and workspace settings. Assigned automatically to the workspace creator.
Workspace MemberCan view workspace projects, create new projects, manage projects they have access to, and use AI provider keys configured in the workspace. Assigned when a user is added to the workspace.

Project Roles

RoleDescription
Project AdminFull control over the project: manage members, API keys, datasets, metrics, evaluators, charts, and all project data. Assigned automatically to the project creator.
Project MemberCan view and create most project resources (traces, datasets, evaluators, experiments, charts) but cannot delete most resources or manage project membership roles. Assigned when a user is added to the project.

Data Plane Roles

Data plane roles apply to Dedicated Cloud and Self-Hosted deployments with federated architecture.
RoleDescription
Data Plane AdminFull control over the data plane: manage workspaces, members, API keys, and data plane settings. Assigned automatically to the data plane creator.
Data Plane MemberCan view data plane members, create workspaces, and list workspaces they belong to.

Permission Reference

Every permission in HoneyHive follows the scope.resource.action format. For example, project.dataset.post allows creating datasets in a project. The tables below list every permission and which default roles include it.
PermissionDescriptionAdminMember
org.scope.getView organization detailsYes
org.scope.putUpdate organization settingsYes
org.scope.archiveArchive the organizationYes
org.membership.getView a member’s detailsYesYes
org.membership.listList all organization membersYesYes
org.membership.addInvite a user to the organizationYesYes
org.membership.removeRemove a user from the organizationYes
org.membership.get_rolesView a member’s rolesYes
org.membership.set_rolesChange a member’s rolesYes
org.org_api_key.getView an organization API keyYes
org.org_api_key.listList organization API keysYes
org.org_api_key.postCreate an organization API keyYes
org.org_api_key.putUpdate an organization API keyYes
org.org_api_key.deleteDelete an organization API keyYes
org.roles.getView role definitionsYes
org.roles.setCreate or update role definitionsYes
org.templates.getView organization templatesYes
org.templates.setUpdate organization templatesYes
org.analytics.queryQuery organization analyticsYes
org.org_api_key.*, org.roles.*, and org.templates.* require the Enterprise plan.
Data plane permissions apply to Dedicated Cloud and Self-Hosted deployments only.
PermissionDescriptionAdminMember
dataplane.scope.getView data plane detailsYes
dataplane.scope.putUpdate data plane settingsYes
dataplane.scope.archiveArchive the data planeYes
dataplane.workspace.createCreate a workspace in this data planeYesYes
dataplane.workspace.listList all workspaces in this data planeYes
dataplane.workspace.list_myList workspaces you belong toYesYes
dataplane.workspace.manage_membershipsManage members across workspacesYes
dataplane.membership.getView a member’s detailsYesYes
dataplane.membership.listList all data plane membersYesYes
dataplane.membership.addInvite a user to the data planeYesYes
dataplane.membership.removeRemove a user from the data planeYes
dataplane.membership.get_rolesView a member’s rolesYes
dataplane.membership.set_rolesChange a member’s rolesYes
dataplane.dataplane_api_key.getView a data plane API keyYes
dataplane.dataplane_api_key.listList data plane API keysYes
dataplane.dataplane_api_key.postCreate a data plane API keyYes
dataplane.dataplane_api_key.putUpdate a data plane API keyYes
dataplane.dataplane_api_key.deleteDelete a data plane API keyYes
PermissionDescriptionAdminMember
workspace.scope.getView workspace detailsYes
workspace.scope.putUpdate workspace settingsYes
workspace.scope.archiveArchive the workspaceYes
workspace.project.createCreate a projectYesYes
workspace.project.listList all projectsYes
workspace.project.list_myList projects you belong toYesYes
workspace.project.putUpdate a projectYesYes
workspace.project.archiveArchive a projectYesYes
workspace.project.manage_membershipsManage members across projectsYes
workspace.membership.getView a member’s detailsYes
workspace.membership.listList all workspace membersYes
workspace.membership.addInvite a user to the workspaceYesYes
workspace.membership.removeRemove a user from the workspaceYes
workspace.membership.get_rolesView a member’s rolesYes
workspace.membership.set_rolesChange a member’s rolesYes
workspace.workspace_api_key.getView a workspace API keyYes
workspace.workspace_api_key.listList workspace API keysYes
workspace.workspace_api_key.postCreate a workspace API keyYes
workspace.workspace_api_key.putUpdate a workspace API keyYes
workspace.workspace_api_key.deleteDelete a workspace API keyYes
workspace.ai_secrets.useUse AI provider secretsYesYes
workspace.ai_secrets.getView AI provider secretsYes
workspace.ai_secrets.postCreate an AI provider secretYes
workspace.ai_secrets.putUpdate an AI provider secretYes
workspace.ai_secrets.deleteDelete an AI provider secretYes
workspace.templates.getView workspace templatesYes
workspace.templates.setUpdate workspace templatesYes
PermissionDescriptionAdminMember
project.scope.getView project detailsYes
project.scope.putUpdate project settingsYes
project.scope.archiveArchive the projectYes
project.membership.getView a member’s detailsYes
project.membership.listList all project membersYesYes
project.membership.addInvite a user to the projectYesYes
project.membership.removeRemove a user from the projectYes
project.membership.get_rolesView a member’s rolesYes
project.membership.set_rolesChange a member’s rolesYes
project.project_api_key.getView a project API keyYesYes
project.project_api_key.listList project API keysYesYes
project.project_api_key.postCreate a project API keyYesYes
project.project_api_key.putUpdate a project API keyYesYes
project.project_api_key.deleteDelete a project API keyYes
project.dataset.getView a datasetYesYes
project.dataset.listList datasetsYesYes
project.dataset.postCreate a datasetYesYes
project.dataset.putUpdate a datasetYesYes
project.dataset.deleteDelete a datasetYes
project.datapoint.getView a datapointYesYes
project.datapoint.listList datapointsYesYes
project.datapoint.postCreate a datapointYesYes
project.datapoint.putUpdate a datapointYesYes
project.datapoint.deleteDelete a datapointYes
project.chart.getView a chartYesYes
project.chart.listList chartsYesYes
project.chart.postCreate a chartYesYes
project.chart.putUpdate a chartYesYes
project.chart.deleteDelete a chartYes
project.config.getView a configurationYesYes
project.config.listList configurationsYesYes
project.config.postCreate a configurationYesYes
project.config.putUpdate a configurationYesYes
project.config.deleteDelete a configurationYes
project.metric.getView a metricYesYes
project.metric.listList metricsYesYes
project.metric.postCreate a metricYesYes
project.metric.putUpdate a metricYesYes
project.metric.deleteDelete a metricYes
project.experiment_run.getView an experiment runYesYes
project.experiment_run.listList experiment runsYesYes
project.experiment_run.postCreate an experiment runYesYes
project.experiment_run.putUpdate an experiment runYesYes
project.experiment_run.deleteDelete an experiment runYes
project.annotation_queue.getView an annotation queueYesYes
project.annotation_queue.listList annotation queuesYesYes
project.annotation_queue.postCreate an annotation queueYesYes
project.annotation_queue.putUpdate an annotation queueYesYes
project.annotation_queue.deleteDelete an annotation queueYesYes
project.alert.getView an alertYesYes
project.alert.listList alertsYesYes
project.alert.postCreate an alertYesYes
project.alert.putUpdate an alertYesYes
project.alert.deleteDelete an alertYesYes
project.event.getView an eventYesYes
project.event.putUpdate an eventYesYes
project.session.getView a sessionYesYes
project.session.putUpdate a sessionYesYes
project.schema.getView project schemaYesYes
project.schema.putUpdate project schemaYesYes

Custom Roles

Custom role definitions are available on the Enterprise plan.
Organizations on the Enterprise plan can define custom roles with granular permission sets. Custom roles let you create permission profiles that match your team’s specific access requirements — for example, a “Reviewer” role that can read project data and annotation queues but cannot modify datasets or metrics. Custom roles are managed via Settings > Organization > Roles. Role definitions apply organization-wide and are available for assignment at any scope level (organization, workspace, or project). Each custom role specifies:
  • The scope level it applies to (organization, workspace, or project)
  • The permission set — a list of individual permissions the role grants
  • Auto-assignment triggers — optional rules for when the role should be automatically assigned (e.g., on workspace creation, on invite)
The platform supports 100+ individual permissions across all scope levels, covering every resource and action in the system.

Role Assignment

How roles are assigned

TriggerWhen it firesRole assigned
On creationUser creates an organization, workspace, or projectAdmin role for that scope
On inviteUser is invited to a scopeMember role for that scope
Email domain matchUser’s email domain matches the organization’s verified domainOrg Member (on sign-in)
ManualAdmin changes a member’s role via Settings > MembersAny role available at that scope

How permissions work across scopes

Permissions are flat — they do not inherit or cascade between scope levels. Each user’s effective permissions are computed per scope at login and checked on every request. Org Admin does not mean access to all projects. An Org Admin can manage organization-level settings and members but must be explicitly added to individual workspaces and projects to access their data. 
Organization (Org Admin)
├── Workspace A (no access -- must be explicitly added)
│   ├── Project 1 (no access)
│   └── Project 2 (no access)
└── Workspace B (Workspace Member -- explicitly added)
    ├── Project 3 (Project Admin -- explicitly added)
    └── Project 4 (no access)
This means:
  • A user can be a Workspace Admin in one workspace and a Workspace Member in another.
  • A user can be a Project Admin in one project and have no access to a different project in the same workspace.
  • An Org Admin must be added to individual workspaces and projects to access their data.

Common Scenarios

Adding a new team member

  1. Org Admin invites the user to the organization.
  2. User becomes an Org Member.
  3. Workspace Admin adds the user to the relevant workspace(s).
  4. Project Admin (or Workspace Admin) adds the user to the relevant project(s).

Creating a new workspace and project

  1. Any Org Member creates a new workspace — they become Workspace Admin automatically.
  2. Workspace Admin creates a project — they become Project Admin automatically.
  3. Workspace Admin invites team members to the workspace and assigns them to projects.

Restricting access within a workspace

A Workspace Admin with multiple projects can control which team members see which projects:
  1. Add all team members to the workspace as Workspace Members.
  2. Add each member only to the specific projects they need.
  3. Members will only see and access projects they have been explicitly added to.

Offboarding a team member

  1. Remove the user from their projects (Project Admin or Workspace Admin).
  2. Remove the user from their workspaces (Workspace Admin or Org Admin).
  3. Remove the user from the organization (Org Admin) if they are leaving entirely.

Permission Recipes

These examples show how to achieve common access patterns using custom roles (Enterprise plan) or the default roles.
Desired behaviorSolution
User can only view datasets in a projectCustom role with project.dataset.get and project.dataset.list
User can run experiments but not delete themCustom role with project.experiment_run.get, .list, .post, .put (omit .delete)
User can manage AI provider secrets but not workspace settingsCustom role with workspace.ai_secrets.* (omit workspace.scope.put)
User can view project data but not modify anythingCustom role with only .get and .list permissions for the resources they need
Workspace admin who cannot archive projectsCustom role with all workspace.* permissions except workspace.project.archive
API-only access for CI/CD pipelinesUse a project API key instead of a user role (see below)

API Key Permissions

API keys are not user roles — they have a fixed set of permissions determined by their scope level. They cannot be customized.
Project API keys are the most common type, used for SDK integration and CI/CD pipelines. They can:
ResourcePermissions
Eventsproject.event.get, project.event.put
Sessionsproject.session.get, project.session.put
Datasetsproject.dataset.*
Datapointsproject.datapoint.*
Metricsproject.metric.*
Experiment runsproject.experiment_run.*
Configurationsproject.config.*
Chartsproject.chart.*
Annotation queuesproject.annotation_queue.*
Schemaproject.schema.*
Project API keys cannot manage memberships, roles, or other API keys.
API Key TypeWhat it can do
Organization API keyManage role definitions (org.roles.*), templates (org.templates.*), and query analytics (org.analytics.*). Requires Enterprise plan.
Workspace API keyManage AI provider secrets (workspace.ai_secrets.*).

Security Guarantees

HoneyHive’s RBAC system enforces the following invariants:
  • No privilege escalation — users cannot grant themselves roles or expand their own access. Role assignment requires explicit admin permissions (*.membership.set_roles) at the relevant scope.
  • No permission inheritance — permissions are flat and scoped to each level independently. An Org Admin does not automatically have access to workspaces or projects. A Workspace Admin does not automatically have admin access to projects within that workspace.
  • Cross-scope isolation — data queries are always filtered by scope. Traces, datasets, and search results from one workspace or project are never visible to users in another, even within the same organization.
  • Separation of duties — in Dedicated Cloud and Self-Hosted deployments, platform operators (control plane) cannot access service-domain data (data plane), and service-domain users cannot modify platform or federation configuration. No role combines control plane authority with data plane access.

FAQ

Q: Can a user have different roles in different workspaces or projects? A: Yes. Roles are assigned independently at each scope. A user can be a Workspace Admin in one workspace and a Workspace Member in another, or a Project Admin in one project and a Project Member in another. Q: Can Org Admins access every project automatically? A: No. Org Admins can manage organization-level settings and members, but they must be explicitly added to a workspace and project to access data within it. Q: Do permissions cascade from organization to workspace to project? A: No. Permissions are flat and scoped to each level independently. A Workspace Admin does not automatically have admin access to projects within that workspace. Q: Who can create API keys? A: API keys are scoped to each level. Org Admins manage organization API keys. Workspace Admins manage workspace API keys. Project Admins and Project Members can manage project API keys. Q: Can we define custom roles beyond the six defaults? A: Yes, on the Enterprise plan. Navigate to Settings > Organization > Roles to define custom roles with granular permissions. The platform supports 100+ individual permissions across all scope levels. Q: What happens when a user is invited to the organization? A: They receive the Org Member role by default. They will not have access to any workspaces or projects until explicitly added by an admin. Q: When do permission changes take effect? A: When a user’s roles or memberships are updated, their active sessions are marked as stale. The next time the user’s browser communicates with the platform, it detects the stale session and triggers a re-authorization to recalculate permissions. The user does not need to log out and log back in. New permissions take effect after the session is re-authorized. Q: What if all Org Admins leave? A: An Org Admin must promote another user to Org Admin before demoting themselves. If no Org Admin is available, contact support@honeyhive.ai.