For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Copy to LLMGithubGo to App
DocumentationIntegrationsAgent OptimizationSelf-hosting OpikSDK & API referenceOpik University
DocumentationIntegrationsAgent OptimizationSelf-hosting OpikSDK & API referenceOpik University
  • Getting Started
    • Home
    • Quickstart
    • Quickstart notebook
    • Roadmap
    • FAQ
    • Changelog
  • Observability
    • Concepts
    • Log traces
    • Log conversations
    • Log user feedback
    • Log media & attachments
    • Cost tracking
    • Opik Assist
  • Evaluation
    • Overview
    • Concepts
    • Manage datasets
    • Evaluate single prompts
    • Evaluate your agent
    • Evaluate agent trajectories
    • Evaluate multimodal traces
    • Evaluate multi-turn agents
    • Manually logging experiments
    • Re-running an existing experiment
    • Annotation Queues
  • Prompt engineering
    • Prompt management
    • Prompt Playground
    • Prompt Generator and Improver
    • Opik's MCP server
  • Testing
    • Pytest integration
  • Production
    • Production monitoring
    • Online Evaluation rules
    • Gateway
    • Guardrails
    • Anonymizers
    • Alerts
    • Dashboards
  • Administration
    • Overview
    • Roles and Permissions
  • Contributing
    • Contribution Overview
LogoLogo
Copy to LLMGithubGo to App
On this page
  • Organization roles vs. workspace roles
  • Organization roles
  • Workspace roles
  • Default roles
  • Permissions by role
  • Custom roles
  • Assigning roles
  • Next steps
Administration

Roles and Permissions

Understanding and configuring workspace roles and the permission model
Was this page helpful?
Previous

Overview

Understanding workspace-level configuration options in Opik

Next
Built with

Opik uses a role-based access control (RBAC) system that allows you to define what users can do within workspaces. This guide explains how roles and permissions work, the default roles available, and how to create custom roles.

Organization roles vs. workspace roles

Opik has two levels of roles that work together:

LevelPurposeScopeExamples
Organization rolesControl access to organization-wide featuresEntire organizationAdmin, Member, View-Only Member
Workspace rolesControl what users can do within a workspaceSingle workspaceManage, Write, Annotator, Read

A user’s effective access is determined by both their organization role and their workspace role:

  • Organization role sets the maximum level of access a user can have across all workspaces (e.g., View-Only Members are restricted to read-only access organization-wide).
  • Workspace role determines what they can do within each workspace they’re a member of, up to the limit set by their organization role.

Organization roles

Every user in your organization has exactly one organization role:

RoleDescription
AdminFull access to the Admin Dashboard and all workspaces in the organization.
MemberCan have full access to any workspace they are added to. No access to the Admin Dashboard.
View-Only MemberRead-only access to workspaces they are added to. Cannot be granted write permissions in any workspace.

New users are assigned the Member role by default. Organization admins can change a user’s role from the Users page in the Admin Dashboard.

Workspace roles

Workspace roles control what users can do within a specific workspace. Users can have different roles in different workspaces.

Default roles

These roles are available in all Opik organizations and serve as the basis for custom roles:

RoleDescription
ManageFull admin access. Manage members, settings, and all resources.
WriteRead-write access. Create projects, log traces, run experiments.
AnnotateAnnotation access. View data and add annotations/feedback.
ReadRead-only access. View all data but cannot make changes.

Permissions by role

The table below shows the default permissions for each role. Custom roles can combine these permissions differently.

GroupPermissionManageWriteAnnotateRead
AdminInvite users to workspaceYesYesNoNo
AdminConfigure workspace settingsYesNoNoNo
AdminDefine AI providersYesYesNoNo
Experiment managementChange project settingsYesNoNoNo
Experiment managementApprove and manage modelsYesNoNoNo
ObservabilityCreate projectsYesYesNoNo
ObservabilityDelete projectsYesYesNoNo
ObservabilityView logsYesYesYesYes
ObservabilityLog trace, span, or threadYesYesNoNo
ObservabilityDelete traceYesYesNoNo
ObservabilityAnnotate trace, span, or threadYesYesYesNo
ObservabilityDefine online evaluation ruleYesYesNoNo
ObservabilityDefine alertYesYesNoNo
ObservabilityCreate annotation queueYesYesNoNo
DashboardsView dashboardsYesYesNoYes
DashboardsEdit dashboardsYesYesNoNo
DashboardsCreate dashboardsYesYesNoNo
DashboardsDelete dashboardsYesYesNoNo
ExperimentsView experimentsYesYesNoYes
ExperimentsCreate experiment ¹YesYesNoNo
DatasetsView datasets and test suitesYesYesNoYes
DatasetsCreate datasets and test suitesYesYesNoNo
DatasetsEdit datasets and test suitesYesYesNoNo
DatasetsDelete datasets and test suitesYesYesNoNo
Annotation queuesView annotation queuesYesYesYesYes
Annotation queuesCreate annotation queueYesYesNoNo
Annotation queuesEdit annotation queueYesYesNoNo
Annotation queuesDelete annotation queueYesYesNoNo
Annotation queuesExport annotation queue resultsYesYesYesYes
PlaygroundUse playgroundYesYesNoNo
OptimizationView Optimization runsYesYesNoYes
OptimizationDelete Optimization runsYesYesNoNo
OptimizationUse optimization studio ²YesYesNoNo

¹ Requires the Log trace, span, or thread permission.

² Requires Log trace, span, or thread, Annotate trace, span, or thread, and Create experiment permissions.

Custom roles

Custom roles are available on Enterprise plans. Reach out to enable this feature.

To create a custom role:

  1. Go to Admin Dashboard > Roles & Permissions.
  2. Click Create Role and configure permissions.
  3. Inherit from an existing role as a starting point.

Assigning roles

Roles can be updated in different places depending on the role type:

  • Organization roles can be updated by organization admins in Admin Dashboard > Users.
  • Workspace roles can be updated in Configuration > Members by any user with the Manage workspace role.

Next steps

  • Configure authentication with role mapping.
  • Manage users and assign roles.
  • Create service accounts with appropriate workspace access.