User Roles and Permissions

You can use a preset role or create your own roles with custom permissions.

Role-Based Access Control (RBAC)

deepset AI Platform offers role-based access control at two levels: organization and workspace. Roles are scoped at each level and define what users can access and manage, enabling precise control over assets.

The deepset AI Platform includes preset roles at both the organization and workspace levels. You can also define custom roles at the workspace level to set specific permissions.

Preset Roles

Preset roles are predefined roles you can assign to users. You can also use them as a starting point when creating custom roles. You can't edit preset roles.

Organization Preset Roles

The following preset roles grant permissions at the organization level:

Role	Scope	Permissions
Admin	Organization	Can perform tasks and manage users and workspaces at the organization level. - Has write access to all workspaces in the organization. - Can change roles of other organization members. - Cannot change their own role. - Can manage organization-wide secrets, integrations, and API keys. - Can view usage statistics. - Can create custom roles. - Can import custom components.
Member	Organization	Must be granted explicit access to workspaces to be able to perform tasks. - Can view organization-wide secrets, integrations and roles. - Has no permissions on other organization-wide assets like usage statistics, custom components or API keys.

Workspace Preset Roles

The following preset roles grant permissions at the workspace level:

Role	Scope	Permissions
Editor	Workspace	Has write access to all assets within a workspace - Has no permissions to manage workspace users
Search user	Workspace	Can use Playground, including adding feedback and modifying query time parameters - Can use Jobs, including creating, running, and sharing

Custom Roles

Organization Admins can create roles with custom permissions. Custom roles apply only at the workspace level. You can't create roles with organization-wide permissions.

Permissions

When creating custom roles, you can either use a preset role and its permissions as a starting point, or you can choose the permissions from scratch. The following table explains available permissions. Read & write permissions include everything in read-only, plus additional actions.

Asset	Access type	Explanation
Feedback	No access	Feedback options are inactive.
	Read & write	Can add, update, and view feedback.
Feedback Management	No access	Feedback options are inactive.
	Read-only	Can view feedback, feedback statistics and export feedback across pipelines using API
	Read & write	Can add, update, and delete feedback tags. - Can delete feedback items.
Jobs	No access	The feature is hidden.
	Read-only	Can view jobs and job results on the Jobs page - Can download job results
	Read & write	Can create, run, share, view, update, and delete jobs.
Shared Prototypes	No access	The share option is inactive.
	Read-only	Can list active share prototypes within a workspace via API
	Read & write	Can share pipeline prototypes. - Can update and delete shared prototypes.
Pipelines	No access	The feature is hidden.
	Read-only	Can view pipelines on the Pipelines page. - Can view pipeline details on the Pipeline Details page. - Can open a pipeline in Pipeline Builder in view-only mode. - Can run searches in Playground and Prompt Explorer - Can activate pipelines.
	Read & write	Can create, update, share, and delete pipelines. - Can configure pipeline service level. - Can deploy and undeploy pipelines. - Can duplicate pipelines. - Can use pipeline templates. - Can debug pipelines using the remote tunnel. - Can update prompts in the pipeline using Prompt Explorer.
Pipeline Templates	No access	The feature is hidden.
	Read-only	Can view templates and their details.
Prompts	No access	The feature is hidden.
	Read-only	Can view and use custom prompts in the prompt hub in Prompt Explorer.
	Read & write	Can create, update, and delete custom prompts in the prompt hub in Prompt Explorer.
Search history	No access	The feature is inactive.
	Read-only	Can view search history.
	Read & write	Can delete search history using API
Files	No access	The feature is hidden.
	Read-only	Can view a list of files in a workspace. - Can view file metadata - Can view files - Can download files - Can see file references in generated answers.
	Read & write	Can upload, delete, and download files. - Can add and modify file metadata.
Indexes	No access	The feature is hidden.
	Read-only	Can view all indexes in the workspace - Can view index details on the Index Details page - Can open an index in Pipeline Builder in view-only mode - Can view names of indexed files - Can export documents as CSV
	Read & write	Can create, update, and delete indexes. - Can enable and disable indexes. - Can use index templates
Groundedness	Read-only	Can view the Groundedness page
Secrets & Integrations	Read-only	Can view secrets and integrations of a workspace
	Read & write	Can add and delete secrets -Can connect and disconnect to an integration
API Keys	Read & write	Create, configure, modify and delete API Keys in a workspace
Workspace statistics	Read-only	Can view the homepage

Examples

Prompt Engineer

To create a custom Prompt Engineer role that:

Can create, update, save, and delete prompts
Can test prompts in Prompt Explorer
Can view file references in generated answers
Can add feedback to generated answers
Cannot update prompts in pipelines

You would need the following permissions:

Asset	Access Type
Pipelines	Read
Files	Read
Prompts	Read & write
Feedback	Read & write

Updated 8 days ago