Roles and Permissions
Overview
Raikoo uses role-based access control (RBAC) to manage user permissions throughout the platform. Roles bundle related permissions together and can be assigned to users to control their access to features and resources.
The permission system operates at two scopes:
- Organization-scoped: Permissions that apply across the entire organization, controlling access to organization-wide resources like AI providers, users, teams, and settings.
- Project-scoped: Permissions specific to individual projects, controlling access to project entities like workflows, tools, agents, and context.
Users without the required permissions for a page or feature will be redirected to a 404 page or will not see the corresponding UI elements.
Organization-Scoped Permissions
Organization-scoped permissions control access to resources at the organization level. These permissions are managed through organization roles and applied to users at the organization level.
| Permission | Display Name | Operations | Description |
|---|---|---|---|
| ai-providers | AI Providers | view, crud | LLM provider configurations and API keys |
| agents | Agents | view, crud | Organization-level AI agent definitions |
| connections | Connections | view, crud | Resource connection configurations (SSH, etc.) |
| databases | Databases | view, crud | Database connections and query access |
| logs | Logs | view | Activity logs and audit trail |
| model-families | Model Families | view, crud | Model groupings and fallback sequences |
| oauth | OAuth | view, crud | OAuth provider configurations and tokens |
| projects | Projects | view, crud | Project creation and management |
| resources | Resources | view, crud | Compute resources and infrastructure |
| roles | Role Manager | crud | Create and assign permission roles |
| secrets | Secrets | view, crud | Encrypted secrets and credentials |
| settings | Settings | crud | Organization-wide configuration |
| teams | Teams | view, crud | Team membership and groupings |
| triggers | Triggers | view, crud | Event-driven workflow triggers |
| usage | Usage | view | Token usage and cost tracking |
| users | Users | view, crud | User accounts and access management |
| vector-stores | Vector Stores | view, crud | Vector database configurations for RAG |
| workflow-execution-schedule | Schedules | view, crud | Scheduled and recurring workflow runs |
| workflow-history | Workflow History | view, crud | Past workflow execution records |
| workflow-status-history | Workflow Status History | view, crud | Workflow run status and progress tracking |
| workspaces | Workspaces | view, crud | Persistent file storage workspaces |
Permission Operations
- view: Read-only access to view the resource
- crud: Full access to create, read, update, and delete the resource
Note that some permissions only support certain operations. For example, logs only supports view access, while roles only supports crud access.
Project-Scoped Permissions
Project-scoped permissions control access to resources within specific projects. These permissions are managed through project roles and applied to users at the project level.
| Permission | Display Name | Operations | Description |
|---|---|---|---|
| applications | Applications | view, crud | Deployed application experiences |
| api-endpoints | API Endpoints | view, crud | External API endpoint configurations |
| chat | Chat | view | Interactive chat with AI agents |
| context | Context | view, crud | Knowledge base and context documents |
| execute-workflow | Execute Workflow | view | Manually trigger workflow executions |
| operations | Operations | view, crud | Workflow operation definitions |
| agents | Agents | view, crud | Project-level AI agent definitions |
| teams | Teams | view, crud | Project team membership |
| tools | Tools | view, crud | AI tool definitions and configurations |
| users | Users | view, crud | Project user access and assignments |
| workflows | Workflows | view, crud | Workflow design and configuration |
Special Roles
The Raikoo permission system includes several special roles with elevated privileges:
Raikoo Admins
Users with the admin flag set at the system level have full access to the entire Raikoo platform, across all organizations and projects. This is the highest level of access and is typically reserved for platform administrators.
Organization Owners
Users designated as owners of an organization have full access to all resources and features within their organization. This includes:
- Full read and write access to all organization-scoped resources
- Ability to manage other users and assign roles
- Access to all projects within the organization
- Ability to configure organization settings
Project Viewers
Users with the organization-level projects.view permission automatically receive view access to all entities within all projects in the organization. This allows them to see project workflows, tools, agents, and other resources without needing explicit project-level role assignments.
This cascading permission is useful for stakeholders who need visibility into all projects without editing capabilities.
Project Editors
Users with the organization-level projects.crud permission are effectively project administrators. They automatically receive full access to all project-scoped resources across all projects in the organization, including:
- All view and crud operations on project entities
- Ability to manage project users and roles
- Ability to execute workflows and manage deployments
This cascading permission eliminates the need to assign project-level roles to organization-level project managers.
Cascading Permissions
The Raikoo permission system includes cascading logic that automatically grants project-level access based on organization-level permissions:
Organization Projects Permission Cascading
-
projects.crud: Users with this organization-level permission automatically gain full access (both view and crud) to all project-scoped resources in all projects. They do not need separate project-level role assignments.
-
projects.view: Users with this organization-level permission automatically gain view access to all project-scoped resources in all projects. They can see all project entities but cannot modify them unless they also have specific project-level roles with crud permissions.
Project-Level Role Layering
Project-level roles layer on top of organization-level cascading permissions. For example:
- A user with organization-level
projects.viewpermission can view all project resources - If that same user is assigned a project-level role with
workflows.crudpermission, they can edit workflows in that specific project - The combination of organization-level view access and project-level crud access gives them targeted editing capabilities
This layered approach provides flexibility in managing permissions while reducing the administrative overhead of role assignments.
OAuth Configuration Permissions
OAuth configuration permissions follow a special tiered access model:
Default Access (All Users)
Every authenticated user in Raikoo can manage their own OAuth configurations for personal integrations. This allows users to connect their individual accounts to external services without requiring special permissions.
Organization-Level View Access
Users with the organization-level oauth.view permission can:
- View all OAuth configurations in the organization
- Manage their own OAuth configurations
- See which integrations are configured by other users
This permission does not grant the ability to modify or use other users' OAuth tokens.
Organization-Level CRUD Access
Users with the organization-level oauth.crud permission can:
- View all OAuth configurations
- Manage their own OAuth configurations
- Create, modify, and delete OAuth configurations for any user in the organization
- Use OAuth tokens configured by other users in workflows and integrations
This permission level is typically reserved for organization administrators who need to manage integrations on behalf of users.
Role Creation
Roles can be created and managed at both the organization and project levels. The role creation interface allows administrators to define custom roles that bundle related permissions together.
Creating Organization Roles
- Navigate to Organization Settings → Roles
- Click Create Role
- Enter a role name and optional description
- Select the permissions to include in the role:
- Choose from the list of organization-scoped permissions
- For each permission, select the operation level (view or crud)
- Optionally, use the Users tab to assign the role to specific users
- Click Save to create the role
Creating Project Roles
- Navigate to a specific project
- Go to Project Settings → Roles
- Click Create Role
- Enter a role name and optional description
- Select the permissions to include in the role:
- Choose from the list of project-scoped permissions
- For each permission, select the operation level (view or crud)
- Optionally, use the Users tab to assign the role to specific users
- Click Save to create the role
Role Management Best Practices
- Create roles that reflect job functions (e.g., "Workflow Developer", "Data Analyst", "Observer")
- Use descriptive names that clearly indicate the role's purpose
- Start with minimal permissions and add more as needed
- Regularly review role assignments to ensure they remain appropriate
- Document custom roles and their intended use cases
Applying Roles to Users
Roles and permissions are assigned to users through the user management interfaces at both the organization and project levels.
Assigning Organization Roles
Organization roles are assigned through the organization-scoped user management interface:
- Navigate to Organization Settings → Users
- Select the user you want to modify or click Add User / Invite User
- In the user edit screen:
- Use the Roles section to assign one or more organization-level roles
- Use the Permissions section to assign individual permissions if needed
- Toggle the Owner switch to grant or revoke organization owner status
- Click Save to apply the changes
Assigning Project Roles
Project roles are assigned through the project-scoped user management interface:
- Navigate to a specific project
- Go to Project Settings → Users
- Select the user you want to modify or click Add User to Project
- In the user edit screen:
- Use the Roles section to assign one or more project-level roles
- Use the Permissions section to assign individual permissions if needed
- Click Save to apply the changes
Direct Permission Assignment
In addition to assigning roles, you can also assign individual permissions directly to users. This is useful for:
- Granting specific exceptions to a user's normal role
- Testing permission configurations before creating a formal role
- One-off permission grants that don't warrant a full role
To assign direct permissions, use the Permissions section in the user edit screen and select the specific permissions and operation levels needed.
Organization Owners
Organization owners have special status within Raikoo, granting them full control over all aspects of their organization.
Owner Capabilities
Organization owners automatically have:
- Full access to all organization-scoped resources
- Full access to all project-scoped resources in all projects
- Ability to manage users, roles, and permissions
- Ability to configure organization settings
- Ability to designate other users as owners
Owner status bypasses all permission checks, making it the highest level of access within an organization.
Designating Organization Owners
There are several ways to grant or revoke organization owner status:
During User Invitation
When adding or inviting a user to the organization:
- Navigate to Organization Settings → Users
- Click Add Existing User or Invite New User
- Toggle the Owner Capabilities switch to grant owner status
- Complete the user addition or invitation process
In User Management
For existing organization users:
- Navigate to Organization Settings → Users
- Select the user you want to modify
- Toggle the Owner switch in the user edit screen
- Click Save to apply the change
In Organization Settings (Admins Only)
Raikoo administrators can manage organization owners through the organization settings:
- Navigate to the admin panel
- Select the organization
- Go to the organization edit screen
- View all users with checkboxes to set their owner status
- Check or uncheck users as needed
- Save the changes
Owner Status Best Practices
- Limit the number of organization owners to maintain security
- Grant owner status only to trusted administrators
- Regularly review the list of organization owners
- Document who has owner status and why
- Consider using more granular roles for users who don't need full access