Guide to user access control on organization and project levels
Org Admin
> Project Admin
> Project User
> Org User
Each role inherits permissions from roles below it in the hierarchy, with additional capabilities added at each level.
Permission | Description | Org Member | Project Member | Project Admin | Org Admin |
---|---|---|---|---|---|
org.create_project | Create a new project in the organization | ✅ | ✅ | ✅ | ✅ |
project.read | View project data | ❌ | ✅ | ✅ | ✅ |
project.list_users | List users within a project | ❌ | ✅ | ✅ | ✅ |
project.read_api_keys | View project API keys | ❌ | ✅ | ✅ | ✅ |
project.use_ai_secrets | Invoke AI secrets scoped to the project | ❌ | ✅ | ✅ | ✅ |
project.update_user_role | Change a user’s role within the Project | ❌ | ❌ | ✅ | ✅ |
project.invite_user | Invite an external user to the project | ❌ | ❌ | ✅ | ✅ |
project.onboard_user | Add an existing user to this project | ❌ | ❌ | ✅ | ✅ |
project.remove_user | Remove a user from the project | ❌ | ❌ | ✅ | ✅ |
project.update | Update project settings and metadata | ❌ | ❌ | ✅ | ✅ |
project.delete | Delete the project | ❌ | ❌ | ✅ | ✅ |
project.cud_api_keys | Create, update, or delete project API keys | ❌ | ❌ | ✅ | ✅ |
project.crud_ai_secrets | Create, read, update, or delete project AI secrets | ❌ | ❌ | ✅ | ✅ |
org.invite_user | Invite a user to join the organization | ❌ | ❌ | ❌ | ✅ |
org.cud_project_role | Modify any user’s role in any project | ❌ | ❌ | ❌ | ✅ |
org.list_users | List all users in the organization | ❌ | ❌ | ❌ | ✅ |
org.list_projects | List all projects in the organization | ❌ | ❌ | ❌ | ✅ |