Platform
Team and roles
Invite
- Settings -> Members -> Invite.
- Enter the email and pick a role.
- The invitee gets an email; they join on accept.
Invites are idempotent — re-sending refreshes the link.
Default roles
| Role | What they can do |
|---|---|
owner | Every permission, including delete_org and create_custom_role. |
admin | Every permission except create_custom_role. Manage members, workspaces, keys, guards, datasets. |
member | view_guard only. Add more by assigning a custom role. |
Custom roles
Named bundles of permissions. Use them when the three defaults don't map — for example, a "security" role that can manage guards but not members.
Permissions
| Permission | Lets the user |
|---|---|
edit_org_settings | Change org name, branding, integrations. |
create_api_keys | Create, rotate, deactivate API keys. |
invite_users | Send and revoke invites. |
change_user_role | Promote, demote, reassign members. |
create_workspace | Create workspaces. |
delete_workspace | Delete a workspace and its data. |
remove_user | Remove a member from the org. |
remove_workspace_member | Remove from a single workspace. |
create_custom_role | Define a new role. |
add_workspace_member | Add an org member to a workspace. |
delete_org | Delete the organization. Owner-level. |
manage_guard_rules | Create and edit Guard rules. |
manage_guard_policies | Create and edit Guard policies. |
view_guard | Read Guard dashboards and results. |
manage_datasets | Create, edit, delete datasets. |
view_datasets | Read datasets and entries. |
Workspace vs org membership
You can be in an org without being attached to any workspace. Admins add you via add_workspace_member. Keeps blast radius small — a contractor can be in the org for billing or audit purposes without seeing every customer's traces.