ContextQMD
Back to Crewai

Role-Based Access Control (RBAC)

docs/en/enterprise/features/rbac.mdx

1.14.5a312.0 KB
Original Source

Overview

RBAC in CrewAI AMP enables secure, scalable access management through two layers:

  1. Feature permissions — control what each role can do across the platform (manage, read, or no access)
  2. Entity-level permissions — fine-grained access on individual automations, environment variables, LLM connections, and Git repositories
<Frame> </Frame>

Users and Roles

Each member in your CrewAI workspace is assigned a role, which determines their access across various features.

You can:

  • Use predefined roles (Owner, Member)
  • Create custom roles tailored to specific permissions
  • Assign roles at any time through the settings panel

You can configure users and roles in Settings → Roles.

<Steps> <Step title="Open Roles settings"> Go to <b>Settings → Roles</b> in CrewAI AMP. </Step> <Step title="Choose a role type"> Use a predefined role (<b>Owner</b>, <b>Member</b>) or click{" "} <b>Create role</b> to define a custom one. </Step> <Step title="Assign to members"> Select users and assign the role. You can change this anytime. </Step> </Steps>

Predefined Roles

RoleDescription
OwnerFull access to all features and settings. Cannot be restricted.
MemberRead access to most features, manage access to environment variables, LLM connections, and Studio projects. Cannot modify organization or default settings.

Configuration summary

AreaWhere to configureOptions
Users & RolesSettings → RolesPredefined: Owner, Member; Custom roles
Automation visibilityAutomation → Settings → VisibilityPrivate; Whitelist users/roles

Feature Permissions Matrix

Every role has a permission level for each feature area. The three levels are:

  • Manage — full read/write access (create, edit, delete)
  • Read — view-only access
  • No access — feature is hidden/inaccessible
FeatureOwnerMember (default)Available levelsDescription
usage_dashboardsManageReadManage / Read / No accessView usage metrics and analytics
crews_dashboardsManageReadManage / Read / No accessView deployment dashboards, access automation details
invitationsManageReadManage / Read / No accessInvite new members to the organization
training_uiManageReadManage / Read / No accessAccess training/fine-tuning interfaces
toolsManageReadManage / Read / No accessCreate and manage tools
agentsManageReadManage / Read / No accessCreate and manage agents
environment_variablesManageManageManage / No accessCreate and manage environment variables
llm_connectionsManageManageManage / No accessConfigure LLM provider connections
default_settingsManageNo accessManage / No accessModify organization-wide default settings
organization_settingsManageNo accessManage / No accessManage billing, plans, and organization configuration
studio_projectsManageManageManage / No accessCreate and edit projects in Studio
<Tip> When creating a custom role, most features can be set to **Manage**, **Read**, or **No access**. However, `environment_variables`, `llm_connections`, `default_settings`, `organization_settings`, and `studio_projects` only support **Manage** or **No access** — there is no read-only option for these features. </Tip>

Deploying from GitHub or Zip

One of the most common RBAC questions is: "What permissions does a team member need to deploy?"

Deploy from GitHub

To deploy an automation from a GitHub repository, a user needs:

  1. crews_dashboards: at least Read — required to access the automations dashboard where deployments are created
  2. Git repository access (if entity-level RBAC for Git repositories is enabled): the user's role must be granted access to the specific Git repository via entity-level permissions
  3. studio_projects: Manage — if building the crew in Studio before deploying

Deploy from Zip

To deploy an automation from a Zip file upload, a user needs:

  1. crews_dashboards: at least Read — required to access the automations dashboard
  2. Zip deployments enabled: the organization must not have disabled zip deployments in organization settings

Quick Reference: Minimum Permissions for Deployment

ActionRequired feature permissionsAdditional requirements
Deploy from GitHubcrews_dashboards: ReadGit repo entity access (if Git RBAC is enabled)
Deploy from Zipcrews_dashboards: ReadZip deployments must be enabled at the org level
Build in Studiostudio_projects: Manage
Configure LLM keysllm_connections: Manage
Set environment varsenvironment_variables: ManageEntity-level access (if entity RBAC is enabled)

Automation‑level Access Control (Entity Permissions)

In addition to organization‑wide roles, CrewAI supports fine‑grained entity-level permissions that restrict access to individual resources.

Automation Visibility

Automations support visibility settings that restrict access by user or role. This is useful for:

  • Keeping sensitive or experimental automations private
  • Managing visibility across large teams or external collaborators
  • Testing automations in isolated contexts

Deployments can be configured as private, meaning only whitelisted users and roles will be able to interact with them.

You can configure automation‑level access control in Automation → Settings → Visibility tab.

<Steps> <Step title="Open Visibility tab"> Navigate to <b>Automation → Settings → Visibility</b>. </Step> <Step title="Set visibility"> Choose <b>Private</b> to restrict access. The organization owner always retains access. </Step> <Step title="Whitelist access"> Add specific users and roles allowed to view, run, and access logs/metrics/settings. </Step> <Step title="Save and verify"> Save changes, then confirm that non‑whitelisted users cannot view or run the automation. </Step> </Steps>

Private visibility: access outcomes

ActionOwnerWhitelisted user/roleNot whitelisted
View automation
Run automation/API
Access logs/metrics/settings
<Tip> The organization owner always has access. In private mode, only whitelisted users and roles can view, run, and access logs/metrics/settings. </Tip> <Frame> </Frame>

Deployment Permission Types

When granting entity-level access to a specific automation, you can assign these permission types:

PermissionWhat it allows
runExecute the automation and use its API
tracesView execution traces and logs
manage_settingsEdit, redeploy, rollback, or delete the automation
human_in_the_loopRespond to human-in-the-loop (HITL) requests
full_accessAll of the above

Entity-level RBAC for Other Resources

When entity-level RBAC is enabled, access to these resources can also be controlled per user or role:

ResourceControlled byDescription
Environment variablesEntity RBAC feature flagRestrict which roles/users can view or manage specific env vars
LLM connectionsEntity RBAC feature flagRestrict access to specific LLM provider configurations
Git repositoriesGit repositories RBAC org settingRestrict which roles/users can access specific connected repos

Common Role Patterns

While CrewAI ships with Owner and Member roles, most teams benefit from creating custom roles. Here are common patterns:

Developer Role

A role for team members who build and deploy automations but don't manage organization settings.

FeaturePermission
usage_dashboardsRead
crews_dashboardsManage
invitationsRead
training_uiRead
toolsManage
agentsManage
environment_variablesManage
llm_connectionsManage
default_settingsNo access
organization_settingsNo access
studio_projectsManage

Viewer / Stakeholder Role

A role for non-technical stakeholders who need to monitor automations and view results.

FeaturePermission
usage_dashboardsRead
crews_dashboardsRead
invitationsNo access
training_uiRead
toolsRead
agentsRead
environment_variablesNo access
llm_connectionsNo access
default_settingsNo access
organization_settingsNo access
studio_projectsNo access

Ops / Platform Admin Role

A role for platform operators who manage infrastructure settings but may not build agents.

FeaturePermission
usage_dashboardsManage
crews_dashboardsManage
invitationsManage
training_uiRead
toolsRead
agentsRead
environment_variablesManage
llm_connectionsManage
default_settingsManage
organization_settingsRead
studio_projectsNo access
<Card title="Need Help?" icon="headset" href="mailto:[email protected]"> Contact our support team for assistance with RBAC questions. </Card>