# Organization Settings Role-based access control defines what users can do in Twig. ## User Roles Twig has 4 user roles with escalating permissions: | Role | Description | Typical User | | ------------- | ----------------------------------------------- | ---------------------------- | | **ReadOnly** | Query agents, view responses | End users, employees | | **Train** | Query + provide feedback, edit responses | Support agents, QA team | | **Configure** | Train + manage agents, data sources, KB | Product managers, team leads | | **Admin** | Configure + user management, billing, analytics | IT admins, account owners | ## Permission Matrix | Feature | ReadOnly | Train | Configure | Admin | | --------------------------------- | -------- | ----- | --------- | ----- | | **Queries** | | | | | | Ask questions via Playground/API | ✅ | ✅ | ✅ | ✅ | | View own query history | ✅ | ✅ | ✅ | ✅ | | Edit own responses | ❌ | ✅ | ✅ | ✅ | | **Feedback & Training** | | | | | | Thumbs up/down on responses | ❌ | ✅ | ✅ | ✅ | | View own interactions in Inbox | ❌ | ✅ | ✅ | ✅ | | View team's interactions in Inbox | ❌ | ✅ | ✅ | ✅ | | Edit team's responses | ❌ | ✅ | ✅ | ✅ | | **Configuration** | | | | | | Manage data sources | ❌ | ❌ | ✅ | ✅ | | Create/edit AI agents | ❌ | ❌ | ✅ | ✅ | | Manage Knowledge Base articles | ❌ | ❌ | ✅ | ✅ | | Configure Auto KB generation | ❌ | ❌ | ✅ | ✅ | | **Administration** | | | | | | View analytics dashboard | ❌ | ❌ | ❌ | ✅ | | Manage users and roles | ❌ | ❌ | ❌ | ✅ | | Manage groups | ❌ | ❌ | ❌ | ✅ | | View billing and usage | ❌ | ❌ | ❌ | ✅ | | Generate API keys | ❌ | ❌ | ❌ | ✅ | | Configure SSO | ❌ | ❌ | ❌ | ✅ | ## Assign Roles **Location**: Admin → Users → \[User Name] → Role (dropdown) **Steps**: 1. Click **Admin** in left navigation 2. Select **Users** tab 3. Find user in list 4. Click **Edit** button 5. Select role from dropdown 6. Click **Save** **Expected result**: User's role updates immediately. Changes take effect on next login or page refresh. ## Role Guidelines **ReadOnly**: For users who only need to ask questions and view answers * Cannot provide feedback or edit responses * No access to configuration or admin features * Suitable for: All employees, customers (if public-facing) **Train**: For users who help improve answer quality * Can mark responses accurate/inaccurate * Can edit responses for better phrasing * Cannot modify agents or data sources * Suitable for: Support agents, QA team, content reviewers **Configure**: For users who manage AI behavior and content * Full control over agents, data sources, KB * Cannot access billing, user management, or analytics * Suitable for: Product managers, engineering leads, content admins **Admin**: For users who manage the organization * Full access to all features * Can view sensitive analytics and billing * Can add/remove users and assign roles * Suitable for: IT admins, account owners (limit to 2-3 users) ## Observable Behavior **Role restrictions enforced**: * UI: Users don't see menu items they can't access * API: Returns `403 Forbidden` if user lacks permission **Example**: ReadOnly user trying to create agent via API: ```json { "error": "Insufficient permissions", "required_role": "configure", "current_role": "readonly" } ``` ## When This Doesn't Apply For custom role definitions or permission granularity beyond these 4 roles, contact Enterprise sales for RBAC customization.