Understanding roles and permissions in WRITER
Who can use this feature
- Default roles are available to all WRITER accounts
- Custom roles are supported on Enterprise plans
- Custom roles can be created and modified by the org admin, business admin, and IT admin default roles
Our roles and permissions system provides greater granularity and control, allowing organizations to manage access separately at the organization and team levels. With custom roles and a role-based access control system, you can precisely control who can configure key features like Knowledge Graphs and agents while improving security and scalability across your workspace.
Whatβs included in this article?
- Overview of roles in WRITER
- Default roles
- How to create a custom role
- How to assign roles to users
- FAQs
Overview of roles in WRITER
Roles allow you to grant granular permissions to members of your organization, giving you precise control over who can access specific features and what they can do within the platform.
Access levels and role types
Each role gives a set of permissions that users can use at the organization or team level. Together, they decide how much control and access a user has to parts of the WRITER platform.
Org level permissions cover different areas, like user team and role management, billing and reporting, agent building, AI Studio access, and more.
Team roles cover team specific permissions such as team membership management, home page management, managing team Knowledge Graphs, and more.
Role Types (Default vs. Custom):
- Default Roles: These are eight pre-made roles for the most common administrative and user needs, like managing a team or handling billing. Every Writer account starts with these.
Custom Roles: If the default roles aren't a perfect fit, you can build your own custom roles and choose the specific permissions you need.
You can assign these roles at two different levels: for your whole organization and for a specific team.
Important: You often need to assign more than one role
A person may need multiple roles to perform their job. For example, someone might need one role to access their teamβs settings and another to use AI Studio.
For instance, a marketing team manager who builds a Knowledge Graph and creates a custom chat agent needs two roles in WRITER:
- Team Admin to manage their teamβs settings.
- AI Studio builder to access AI Studio and build the Knowledge Graph and chat agent. This role allows building but not deploying agents, which is handled by IT.
By assigning multiple roles, you can give people the exact access they need - no more, and no less. To learn how to assign roles to your users, see this section of this article.
Default roles
Definition of default roles
Use the tables below to understand the different default roles available in WRITER and the permissions associated with each role.
| Role | Level | Description | Examples of who should have the role |
|---|---|---|---|
| Org admin | Organization | This role includes automatic access to all teams within the organization with team admin permissions. It also has broad admin access to org configuration for billing, users, teams, roles, account, authentication, style guide, and security. | CISO, CTO, Operations Head, IT Manager, Department Head |
| AI Studio full access | Organization | This role allows users to build, create, and manage all agents, Knowledge Graphs, API keys, and voices within AI Studio. These users can deploy any agents and view consumption data. | AI/ML Engineer, Data Scientist, Quantitative Analyst, Analytics Manager, AI Research Scientist |
| AI Studio builder | Organization | This role allows users to build and create agents, Knowledge Graphs, API keys, and voices within AI Studio. They can manage their own items, but can't view or manage those created by other users. These users cannot deploy own agents. | AI/ML Engineer, Data Scientist, Business Intelligence Developer, Technical Lead, Research Scientist |
| AI Studio view only | Organization | This role offers limited, view-only access to agents, Knowledge Graphs, and voice. It can also access agents deployed to playground. This user cannot deploy or edit agents. | Data Analyst, Business Analyst, Risk Analyst, Product Manager, Clinical Research Coordinator |
| Business admin | Organization | This role can manage business administration settings such as the style guide builder, user, and billing management. It can also access reporting, but does not have access to authentication or data and security settings. | Business Operations Manager, Finance Manager, Business Analyst, Brand Manager |
| IT admin | Organization | This role can manage authentication and data and security settings. It can also manage AI Studio with full access to agents, API keys, Knowledge Graphs, and voices. | IT Administrator, System Administrator, IT Manager, IT Director, Infrastructure Manager, |
| Team admin | Team | This role includes full access to team setup, including terms, suggestions, snippets, prompts, Knowledge Graphs, and voices. It can also add and remove members from the team and view usage reporting for this team. | Team Lead, Project Manager, Department Manager |
| Team member | Team | Most users in your org will have the Team member role. This role includes basic membership to the team with ability to use agents, check content. It also has view-only access to suggestions, terms, and other settings. | Individual contributors |
Default role permissions
As an org admin you can assign multiple org and team level roles to give your users the permissions in WRITER that they require. The tables below will show you the granular permission each default role has enabled. To learn how to create custom roles for your WRITER account click here.
User, team, and role management permissions:
| Permission | Org admin | AI Studio full access | AI Studio builder | AI Studio view only | Business admin | IT admin | Team admin | Team member |
| View users | β | β | β | β | β | β | β (team only) | β |
| Invite and manage users | β | β | β | β | β | β | β (team only) | β |
| View teams | β | β | β | β | β | β | β (team only) | β |
| Manage teams | β | β | β | β | β | β | β (team only) | β |
| View roles | β | β | β | β | β | β | β (team only) | β |
| Manage roles | β | β | β | β | β | β | β (team only) | β |
Billing and reporting permissions:
| Permission | Org admin | AI Studio full access | AI Studio builder | AI Studio view only | Business admin | IT admin | Team admin | Team member |
|---|---|---|---|---|---|---|---|---|
| View billing groups | β | β | β | β | β | β | β | β |
| Manage billing groups | β | β | β | β | β | β | β | β |
| View and manage billing | β | β | β | β | β | β | β | β |
| View usage reporting | β | β | β | β | β | β | β (team only) | β |
| View admin audit log | β | β | β | β | β | β | β (team only) | β |
Account and style guide permissions:
| Permission | Org admin | AI Studio full access | AI Studio builder | AI Studio view only | Business admin | IT admin | Team admin | Team member |
|---|---|---|---|---|---|---|---|---|
| Manage account settings | β | β | β | β | β | β | β | β |
| Manage style guide | β | β | β | β | β | β | β | β |
Data, security access, and provisioning permissions:
| Permission | Org admin | AI Studio full access | AI Studio builder | AI Studio view only | Business admin | IT admin | Team admin | Team member |
|---|---|---|---|---|---|---|---|---|
| Manage access and provisioning | β | β | β | β | β | β | β | β |
| Manage data and web use | β | β | β | β | β | β | β | β |
| Manage OAuth apps | β | β | β | β | β | β | β | β |
AI Studio permissions:
| Permission | Org admin | AI Studio full access | AI Studio builder | AI Studio view only | Business admin | IT admin | Team admin | Team member |
| View no-code agents | β | β | β | β | β | β | β | β |
| View templates | β | β | β | β | β | β | β | β |
| Create agent from template | β | β | β | β | β | β | β | β |
| Duplicate existing no-code agent | β | β | β | β | β | β | β | β |
| Create no code agent | β | β | β | β | β | β | β | β |
| Delete draft agent - created by self | β | β | β | β | β | β | β | β |
| Delete draft agent - created by anyone | β | β | β | β | β | β | β | β |
| Modify no code agent (draft) - created by self | β | β | β | β | β | β | β | β |
| Modify any no code agent | β | β | β | β | β | β | β | β |
| Deploy own agents | β | β | β | β | β | β | β | β |
| Deploy agents created by anyone | β | β | β | β | β | β | β | β |
| Push changes (deploy current draft of existing agent) | β | β | β | β | β | β | β | β |
| Regenerate embed token for no code agent | β | β | β | β | β | β | β | β |
| API keys (create, revoke, view secret, etc) | β | β | β | β | β | β | β | β |
| Framework agents (create, revoke, view secret, etc) | β | β | β | β | β | β | β | β |
| Open agents in playground & copy playground URL | β | β | β | β | β | β | β | β |
| Enable/disable playground - agent created by self | β | β | β | β | β | β | β | β |
| Enable/disable playground - all agents | β | β | β | β | β | β | β | β |
| Create Knowledge Graph | β | β | β | β | β | β | β | β |
| Create Voice | β | β | β | β | β | β | β | β |
| Modify/delete KG - created by self | β | β | β | β | β | β | β | β |
| Modify/delete Voice - created by self | β | β | β | β | β | β | β | β |
| Modify/delete KG - created by anyone | β | β | β | β | β | β | β | β |
| Modify/delete Voice - created by anyone | β | β | β | β | β | β | β | β |
| Invite user to AI Studio | β | β | β | β | β | β | β | β |
| Delete AI Studio user | β | β | β | β | β | β | β | β |
| Change user AI Studio roles | β | β | β | β | β | β | β | β |
| CRUD Billing details | β | β | β | β | β | β | β | β |
| View analytics (when released) | β | β | β | β | β | β | β | β |
AI Studio billing and reporting permissions:
| Permission | Org admin | AI Studio full access | AI Studio builder | AI Studio view only | Business admin | IT admin | Team admin | Team member |
| View and manage billing | β | β | β | β | β | β | β | β |
| View consumption | β | β | β | β | β | β | β | β |
| View and manage session logs | β | β | β | β | β | β | β | β |
Team specific permissions:
| Permission | Org admin | AI Studio full access | AI Studio builder | AI Studio view only | Business admin | IT admin | Team admin | Team member |
|---|---|---|---|---|---|---|---|---|
| Manage home page | β | β | β | β | β | β | β | β |
| Manage team terms | β | β | β | β | β | β | β | β |
| View team terms | β | β | β | β | β | β | β | β |
| Manage team suggestions and tools | β | β | β | β | β | β | β | β |
| View team suggestions and tools | β | β | β | β | β | β | β | β |
| Create and manage team snippets | β | β | β | β | β | β | β | β |
| View team snippets | β | β | β | β | β | β | β | β |
| Create and manage team Knowledge Graphs | β | β | β | β | β | β | β | β |
| View team Knowledge Graphs | β | β | β | β | β | β | β | β |
| Create and manage team voices | β | β | β | β | β | β | β | β |
| View team voice | β | β | β | β | β | β | β | β |
| Create and manage team prompts | β | β | β | β | β | β | β | β |
| View team prompts | β | β | β | β | β | β | β | β |
| View team users | β | β | β | β | β | β | β | β |
| Manage team users | β | β | β | β | β | β | β | β |
| Manage team details | β | β | β | β | β | β | β | β |
The following permissions are given to all team members and cannot be configured:
| Feature | Permission |
|---|---|
| Docs and Editor | View and use |
| Agent Library | View and use |
| My Work | View and use |
| Home page access | View and use |
| Ask WRITER | View and use |
| Action Agent | View and use |
| Suggestions and tools | View |
| Terms | View |
| Snippets | View |
| Voice | View |
| Knowledge Graph | View |
| Team users | View |
How to create a custom role
You can create custom roles at the organization level as well as for specific teams:
Select the Org settings > Users, teams & roles > Roles > + New role.
To create an org-level custom role:
- Give your custom role a clear name.
- Select Org level.
- Provide a description so other admins know when to assign the custom org-level role.
- On the right, select the specific org-level permissions youβd like this custom level to have.
- Select Save. Your new org-level custom role will now be visible under Org settings > Users, teams & roles > Roles.
To create a team-level custom role:
- Give your team-level role a clear name.
- Select Team level.
- Provide a description so other admins know when to assign the custom team-level role.
- On the right, select the specific team-level permissions youβd like this custom level to have.
- Select Save. Your new team-level custom role will now be visible under Org settings > Users, teams & roles > Roles.
Just want to make a slight tweak to an existing access role?
- Select Copy from in the top right to fill in the default permissions for an existing role.
- Give your adjusted role a new name and description.
- Adjust the permissions.
- Select Save. Your new custom role will now be visible under Org settings > Users, teams & roles > Roles.
How to assign roles to users
When you invite a user from Org settings > Users, teams and roles > Users, you can assign them any of the default or custom roles within your WRITER org.
- From the invitation module, enter an email for the user youβd like to invite to your WRITER account.
- (Optional) Next, select an option from the Billing group dropdown to associate the user with. To learn more about billing groups, click here.
- Under Org permissions, assign any default or custom org-level roles to the user. You can select assign multiple org-level roles to a user.
- Under Team permissions, select the team(s) the user should belong to. For each team, assign team-level permissions to the user. You can select multiple team-level roles to a user.
Additionally you can have roles and permissions automatically set for your users by setting up SCIM provisioning, learn more here.
FAQs
How do I assign new roles to existing users?
To change a single userβs role, navigate to Org settings > Users, teams & roles > Users, select the β’β’β’ three dot menu to the right of a userβs name. Select Edit user details to make adjustments to their org-level or team-level access roles.
To edit user roles in bulk within the Users page, search or filter to find the users youβd like and then select the check box on the right of their email address. This will activate the bulk menu where you can select the Select action button to activate the menu and select Edit org role.
Please note, the maximum number of users that can be selected for bulk actions is 1000.
Select the role(s) you want to remove or add to your users and select Save and your changes will be applies.
You can also manage user roles in bulk by following the steps in your IdP to update the org and team role mapping. Learn more about SCIM provisioning here.
We are an existing WRITER customer. How should we migrate our current users to this new role system?
At rollover, there will be a 1:1 change of Org admins to the org admin role, and team admins to the new team admin role, and users to users.
Org admin β Org Admin, Team Admin β Team Admin, Team member β Team member, etc
There is only one significant change between the previous roles and the new roles:
Previously, team admins could manage changes to a published styleguide.com website. Now, styleguide.com website management is an org-level permission. If you wish to provide your team admins with access to this permission, youβll need to create a custom role.
What is the difference between an organization-level role and a team-level role?
Organization-level roles (e.g., Org Admin, IT Admin) grant permissions that affect the entire Writer account, such as billing, security settings, and organization-wide user management. Team-level roles (e.g., Team Admin, Team Member) grant permissions that only apply within a specific team, like managing team members or accessing team-specific content..
How do I handle role changes for users with multiple team memberships?
Team membership is separate from org level roles. For example, if you remove an admin type role from a user they will still maintain their team member status for the teams they belong to. You can edit team membership from the Users tab or you can navigate to the Teams section to adjust team level membership and permissions.
Can I make changes to custom roles after they are created and assigned to users?
Yes, from the Roles tab, select the three dot icon on the right side of the role youβs wish to edit, and then select Edit role. From the role creation module that appears, make the changes youβd like and then select Save. The changes will now be live for any users youβve assigned to the role. Default roles cannot be edited or deleted.
What happens if a user is assigned multiple roles? How do permissions combine?
When a user has multiple roles, their permissions are additive. They gain the combined total of all permissions from every role they are assigned. For example, if Role A grants permission to view users and Role B grants permission to create agents, a user with both roles can do both.
Can I delete a custom role after it's been created? What happens to the permissions of the users assigned to those roles if I do?
If a custom role is deleted, any users assigned to that role will lose the permissions granted by it. If they are not assigned to any other roles, they will revert to the default "Team member" permissions. We recommend reassigning users to a new role before deleting an old one.
How do roles assigned via SCIM/IdP interact with roles assigned manually in WRITER?
For users provisioned via SCIM, your Identity Provider (IdP) is the source of truth. Roles should be managed there. Any manual role changes made in the Writer UI for a SCIM-managed user will be overwritten during the next sync.
Are there any limitations on the number of custom roles I can create?
The maximum number of custom roles per WRITER org is 100 (team-level or org-level, cumulatively).
Can I temporarily suspend or revoke a user's role?
Yes. To temporarily suspend a user's permissions, you can edit their profile and remove the assigned role(s). Their access will be revoked immediately. To restore access, simply re-assign the role(s) at a later time. This is a non-destructive action.
Is there a way to audit or log changes made to roles and permissions?
Yes. The Admin audit log, accessible to org admins and IT admins, records all significant actions, including the creation, modification, and deletion of roles, as well as changes to user role assignments.
What are some best practices for setting up roles?
We recommend the following best practices:
- Start with the principle of least privilege: Only grant users the minimum permissions they need to perform their job.
- Leverage default roles first: Before creating a custom role, check if a combination of our default roles can meet your needs.
- Use a clear naming convention: When creating custom roles, use descriptive names like 'Marketing Content Approver' or 'Sales Agent Builder' to make them easily identifiable.
- Audit regularly: Periodically review your roles and user assignments to ensure they are still appropriate as your organization evolves.
I assigned a role to a user, but they still can't access what they need. What should I do?
This usually happens when a user is missing a required combination of roles. The most common reason is that they have a team-level role (like Team Admin) but are missing the necessary org-level role to access the area of the platform (like AI Studio - View Only).
Troubleshooting Steps:
Check all roles assigned to the user as well as their team membership. Confirm they have both an org-level role for platform access and a team-level role for specific content management.