Users & roles

Every person in your workspace has one or more roles. Roles determine what someone can see and do — which documents they can read, whether they can run agent tasks, whether they can approve paused actions, and whether they have admin access. A user with several roles can do anything any of them allow.

As a department admin you can assign roles to people in your department. Platform admins can assign roles workspace-wide.

Assigning a role

Open the Users page in the admin console, find the person, and use the role selector to add or remove roles. Changes take effect the next time the user loads a page — there is no need to ask them to sign out.

Screenshot

The Users page showing the role selector for an individual user — added in a later docs update.

Roles at a glance

Role	What it grants
Employee	Ask questions; read documents at their access level.
Department user	Everything an employee can do, plus run agent tasks and read department-scoped documents.
Approver	Review and decide tasks paused for human approval.
Department admin	Manage users, documents, and settings within their department.
Platform admin	Configure the whole workspace; full access.
Security admin	View the audit log and run access reviews.
Developer	Build and register workflows, tools, and integrations.

For the full role-to-capability matrix, see Roles & permissions.

Document access is separate from roles

Roles control what users can do. What documents they can read is controlled by the document’s access level and department. These two controls work together — a user needs the right role to run a task and the right access level to see the documents that task draws from. See Managing knowledge for how to set document access correctly.

Need more access?

If a user can’t do something you think they should, check their roles first. If the role looks right but they’re still missing information, the issue is likely document access rather than their role. The Troubleshooting & FAQ page covers the most common cases.