ContextQMD
Back to Crewai

Role-Based Access Control (RBAC)

docs/v1.10.1/en/enterprise/features/rbac.mdx

1.14.8a13.6 KB
Original Source

Overview

RBAC in CrewAI AMP enables secure, scalable access management through a combination of organization‑level roles and automation‑level visibility controls.

<Frame> </Frame>

Users and Roles

Each member in your CrewAI workspace is assigned a role, which determines their access across various features.

You can:

  • Use predefined roles (Owner, Member)
  • Create custom roles tailored to specific permissions
  • Assign roles at any time through the settings panel

You can configure users and roles in Settings → Roles.

<Steps> <Step title="Open Roles settings"> Go to <b>Settings → Roles</b> in CrewAI AMP. </Step> <Step title="Choose a role type"> Use a predefined role (<b>Owner</b>, <b>Member</b>) or click{" "} <b>Create role</b> to define a custom one. </Step> <Step title="Assign to members"> Select users and assign the role. You can change this anytime. </Step> </Steps>

Configuration summary

AreaWhere to configureOptions
Users & RolesSettings → RolesPredefined: Owner, Member; Custom roles
Automation visibilityAutomation → Settings → VisibilityPrivate; Whitelist users/roles

Automation‑level Access Control

In addition to organization‑wide roles, CrewAI Automations support fine‑grained visibility settings that let you restrict access to specific automations by user or role.

This is useful for:

  • Keeping sensitive or experimental automations private
  • Managing visibility across large teams or external collaborators
  • Testing automations in isolated contexts

Deployments can be configured as private, meaning only whitelisted users and roles will be able to:

  • View the deployment
  • Run it or interact with its API
  • Access its logs, metrics, and settings

The organization owner always has access, regardless of visibility settings.

You can configure automation‑level access control in Automation → Settings → Visibility tab.

<Steps> <Step title="Open Visibility tab"> Navigate to <b>Automation → Settings → Visibility</b>. </Step> <Step title="Set visibility"> Choose <b>Private</b> to restrict access. The organization owner always retains access. </Step> <Step title="Whitelist access"> Add specific users and roles allowed to view, run, and access logs/metrics/settings. </Step> <Step title="Save and verify"> Save changes, then confirm that non‑whitelisted users cannot view or run the automation. </Step> </Steps>

Private visibility: access outcomes

ActionOwnerWhitelisted user/roleNot whitelisted
View automation
Run automation/API
Access logs/metrics/settings
<Tip> The organization owner always has access. In private mode, only whitelisted users and roles can view, run, and access logs/metrics/settings. </Tip> <Frame> </Frame> <Card title="Need Help?" icon="headset" href="mailto:[email protected]"> Contact our support team for assistance with RBAC questions. </Card>