User Permissions & Roles
Comprehensive guide to user permissions, roles, and access control in Twig AI.
Overview
Twig AI uses Role-Based Access Control (RBAC) to manage what users can see and do within the platform. Permissions are assigned through roles, groups, and direct assignments.
User Roles
Role Hierarchy
Super Admin (Highest)
↓
Admin
↓
Manager
↓
User (Base)Role Definitions
Super Admin
Description: Complete platform control, typically for organization owners and IT administrators.
Permissions:
Organization
• Full administrative access • Manage billing and subscriptions • Delete organization • Configure SSO • Manage integrations
Users
• Create, edit, delete all users • Assign any role including Super Admin • Manage all groups • View all user activity
Agents
• Create, edit, delete all agents • Access all agents regardless of restrictions • Manage agent permissions • View all agent analytics
Data Sources
• Create, edit, delete all data sources • Trigger processing for any source • View connection credentials • Configure refresh schedules
Analytics
• Access all analytics dashboards • Export all data • View organization-wide metrics • Access super admin dashboard
Settings
• Modify all system settings • Configure security policies • Manage API keys • Access audit logs
Use Cases:
Organization founders/owners
IT administrators
Platform administrators
Assignment: Limited to 2-3 users per organization (recommended)
Admin
Description: Day-to-day administrative control without billing or critical system changes.
Permissions:
Organization
• View organization settings • Manage integrations • ❌ Cannot delete organization • ❌ Cannot change billing
Users
• Create, edit, delete users (except Super Admins) • Assign roles (up to Manager) • Manage groups • View user activity
Agents
• Create, edit, delete all agents • Access all agents • Manage agent permissions • View all agent analytics
Data Sources
• Create, edit, delete all data sources • Trigger processing • ❌ Cannot view credentials (encrypted) • Configure refresh schedules
Analytics
• Access admin dashboards • Export organization data • View all metrics • Generate reports
Settings
• Modify most settings • Manage API keys for organization • View audit logs • ❌ Cannot modify security policies
Use Cases:
Team leads
Department heads
Operations managers
Assignment: 5-10 users typically
Manager
Description: Team-level management with permissions for their department or group.
Permissions:
Organization
• View organization settings • ❌ Cannot modify • ❌ Cannot manage integrations
Users
• View users in their groups • Add/remove users from their groups • ❌ Cannot create/delete users • ❌ Cannot assign roles
Agents
• Create agents • Edit agents they created or are assigned • Delete agents they created • Assign agents to their groups • View analytics for their agents
Data Sources
• Create data sources • Edit data sources they created • Trigger processing for their sources • ❌ Cannot delete data sources • View their data source analytics
Analytics
• Access management dashboard • View metrics for their groups/agents • Export their team's data • ❌ Cannot view org-wide sensitive metrics
Settings
• Manage their own API keys • View limited audit logs (their actions) • ❌ Cannot modify system settings
Use Cases:
Team managers
Project leads
Department supervisors
Assignment: Team/project leaders
User
Description: Standard user access for day-to-day use of AI agents.
Permissions:
Organization
• View basic organization info • ❌ Cannot modify anything
Users
• View their own profile • Update their own settings • ❌ Cannot see other users • ❌ Cannot manage groups
Agents
• Use agents they have access to • View responses and citations • ❌ Cannot create agents • ❌ Cannot edit agents • ❌ Cannot change agent settings
Data Sources
• ❌ Cannot access data sources • ❌ Cannot view data source list • ❌ Cannot create/edit/delete
Analytics
• View their own usage statistics • See their interaction history • ❌ Cannot view team metrics • ❌ Cannot export data
Settings
• Update profile (name, photo) • Manage notification preferences • Generate personal API keys (if enabled) • ❌ Cannot modify system settings
Use Cases:
End users
Employees using AI assistance
External users (with restrictions)
Assignment: All standard users
Permission Matrix
Complete Permission Reference
Organization Management
View organization
✅
✅
✅
✅
Edit organization settings
✅
✅
❌
❌
Delete organization
✅
❌
❌
❌
Manage billing
✅
❌
❌
❌
Configure SSO
✅
✅
❌
❌
User Management
View all users
✅
✅
Group only
Self only
Create users
✅
✅
❌
❌
Edit users
✅
✅
❌
Self only
Delete users
✅
✅
❌
❌
Assign roles
✅
✅ (up to Manager)
❌
❌
Group Management
View groups
✅
✅
Assigned only
❌
Create groups
✅
✅
❌
❌
Edit groups
✅
✅
Own groups
❌
Delete groups
✅
✅
❌
❌
Add/remove members
✅
✅
Own groups
❌
Agent Management
View agents
✅ All
✅ All
Assigned
Assigned
Create agents
✅
✅
✅
❌
Edit agents
✅ All
✅ All
Own/Assigned
❌
Delete agents
✅
✅
Own only
❌
Manage agent permissions
✅
✅
Own agents
❌
Use agents in Playground
✅
✅
✅
✅
Data Source Management
View data sources
✅
✅
Own only
❌
Create data sources
✅
✅
✅
❌
Edit data sources
✅
✅
Own only
❌
Delete data sources
✅
✅
❌
❌
Trigger processing
✅
✅
✅
❌
View connection credentials
✅
❌
❌
❌
Analytics & Reporting
View super admin dashboard
✅
❌
❌
❌
View admin dashboard
✅
✅
❌
❌
View management dashboard
✅
✅
✅
❌
View user dashboard
✅
✅
✅
✅
Export data
✅
✅
Own data
Own data
View interaction history
✅ All
✅ All
Group only
Self only
Inbox & Training
View all interactions
✅
✅
Group only
Self only
Edit responses
✅
✅
✅
❌
Mark as accurate/inaccurate
✅
✅
✅
❌
Create KB articles from inbox
✅
✅
✅
❌
Knowledge Base
View KB articles
✅
✅
✅
✅
Create KB articles
✅
✅
✅
❌
Edit KB articles
✅
✅
Own only
❌
Delete KB articles
✅
✅
❌
❌
Manage KB tags
✅
✅
❌
❌
API & Integration
View org API keys
✅
✅
❌
❌
Create org API keys
✅
✅
❌
❌
Create personal API keys
✅
✅
✅
If enabled
Manage webhooks
✅
✅
❌
❌
Configure integrations
✅
✅
❌
❌
Security & Audit
View audit logs
✅ All
✅ All
Self only
❌
Configure security policies
✅
❌
❌
❌
Manage SSO
✅
✅
❌
❌
View sensitive data
✅
❌
❌
❌
Managing User Permissions
Creating Users with Roles
Method 1: Individual User Creation
Navigate to Administration → Users
Click Create New User
Fill in user details:
Email: [email protected] (required)
Name: Full name
Role: Select from dropdown
Groups: Assign to groups (optional)
Status: Active/Inactive
Click Send Invitation
User receives email with setup link
Method 2: Bulk User Import
Administration → Users → Import Users
Download CSV template
Fill in user details:
Upload CSV file
Review and confirm import
Users receive invitations automatically
Method 3: SSO Auto-Provisioning
Administration → SSO → Auto-Provisioning
Enable Just-In-Time (JIT) Provisioning
Configure default role: User (typically)
Map SSO attributes to user fields:
Users created automatically on first login
Changing User Roles
Single User:
Administration → Users → Select user
Click Edit
Change Role dropdown
Confirm: "Are you sure? This will change permissions immediately."
Click Save
Bulk Role Change:
Administration → Users
Select multiple users (checkbox)
Bulk Actions → Change Role
Select new role
Confirm changes
Users notified of permission change (optional)
Deactivating Users
Temporary Deactivation:
Administration → Users → Select user
Click Deactivate
User status: Inactive
Effects:
Cannot log in
API keys disabled
Removed from groups (temporarily)
Data and history preserved
Permanent Deletion:
Administration → Users → Select user
Click Delete
Select deletion mode:
Soft Delete: User hidden, data preserved
Hard Delete: User and all data removed (irreversible)
Confirm deletion
Effects:
User completely removed
Group memberships removed
API keys revoked
Owned agents reassigned or deleted
Custom Permissions
Fine-Grained Control (Enterprise)
Enterprise customers can create custom permission sets:
Example: "Data Analyst" Custom Role
Setup:
Contact support or use Enterprise API
Define custom role with specific permissions
Assign to users
Custom role appears in role dropdown
Resource-Level Permissions
Control access at the individual resource level:
Example: Agent-Specific Permissions
Configuration:
Open Agent → Settings → Permissions
Click Add User Permission
Search for user
Select permission level:
No Access: Cannot see agent
View Only: Can see but not use
View & Use: Can query agent
Edit: Can modify settings
Manage: Full control including deletion
Save
Permission Scenarios
Scenario 1: Customer Support Organization
Roles & Groups:
Agent Access:
Support Agent → Support Team group only
Sales Agent → Sales Team group only
Engineering Agent → Engineering group + private data
Scenario 2: Multi-Tenant Consulting Firm
Structure:
Agent Isolation:
Each client has dedicated agents
Agents restricted to client-specific groups
Data sources scoped per client
Complete data isolation
Scenario 3: Enterprise with Contractors
Setup:
Contractor Permissions:
Cannot view organization settings
Cannot see other users
Cannot create/edit agents
Can only use assigned agents
No API access
Session timeout: 30 minutes (vs 8 hours for internal)
Security Best Practices
1. Role Assignment
✅ Do:
Assign minimum necessary role
Regular role reviews (quarterly)
Document why Super Admins are needed
Limit Super Admins to 2-3 maximum
Use Manager role for team leads
Default new users to User role
❌ Don't:
Give everyone Admin role "just in case"
Make all managers Super Admins
Skip role justification
Forget to review after org changes
2. Principle of Least Privilege
Implement progressively:
Week 1: Assign basic roles Month 1: Add group-based restrictions Month 3: Implement resource-level permissions Month 6: Fine-tune based on usage patterns
3. Access Reviews
Monthly:
Review new user assignments
Check for role escalations
Verify group memberships
Quarterly:
Full permission audit
Recertify privileged access (Admin+)
Remove unused accounts
Update group structures
Annually:
Review role definitions
Update permission policies
Train admins on permission management
4. Segregation of Duties
For sensitive operations:
Create agent
Manager+
No
Add sensitive data source
Admin+
Manager approval
Export all org data
Super Admin
CEO approval
Delete organization
Super Admin
Board approval
Change security policy
Super Admin
CISO approval
Monitoring & Auditing
Permission Change Logs
All permission changes are logged:
View Logs:
Logged Events:
Role changes
Group membership changes
Permission grants/revokes
User activations/deactivations
Role definition changes
Example Log:
Access Reports
Available Reports:
User Permissions Report
All users with their roles and groups
Export to CSV
Privileged Access Report
All Admins and Super Admins
Last login, last activity
Requires quarterly recertification
Inactive Users Report
Users who haven't logged in (configurable period)
Candidates for deactivation
Permission Changes Report
All permission changes in period
Grouped by type, user, or actor
API Access Control
API Key Permissions
API keys inherit user permissions:
Super Admin
Full API access, all operations
Admin
Most operations, excluding billing
Manager
CRUD for own resources, read for group
User
Chat/completion, read own data
Scoped API Keys
Create API keys with limited scope:
Scope Options:
CHAT: Chat/completion requests onlyVIEW_AGENTS: List and read agentsMANAGE_AGENTS: Create/edit/delete agentsVIEW_DATA: Read data sources and analyticsMANAGE_DATA: Modify data sourcesADMIN: Full administrative access
Troubleshooting
User Can't Perform Action
Diagnosis:
Check user's role: Administration → Users → [User]
Check group memberships
Check resource-specific permissions
Review audit logs for any restrictions
Common Issues:
Insufficient Role:
Not in Group:
Resource-Specific Restriction:
Permission Changes Not Taking Effect
Solutions:
Have user log out and back in
Clear browser cache
Check session timeout settings
If SSO, verify attribute sync
Next Steps
Agent Permissions - Control agent access
Group Management - Organize users
SSO Integration - Enterprise authentication
Audit Logs - Track all activities
Security Best Practices - Secure your org
Last updated