Roles and Permissions

Opik uses a role-based access control (RBAC) system that allows you to define what users can do within workspaces. This guide explains how roles and permissions work, the default roles available, and how to create custom roles.

Organization roles vs. workspace roles

Opik has two levels of roles that work together:

Level	Purpose	Scope	Examples
Organization roles	Control access to organization-wide features	Entire organization	Admin, Member, View-Only Member
Workspace roles	Control what users can do within a workspace	Single workspace	Manage, Write, Annotator, Read

A user's effective access is determined by both their organization role and their workspace role:

• Organization role sets the maximum level of access a user can have across all workspaces (e.g., View-Only Members are restricted to read-only access organization-wide).
• Workspace role determines what they can do within each workspace they're a member of, up to the limit set by their organization role.

Organization roles

Every user in your organization has exactly one organization role:

Role	Description
Admin	Full access to the Admin Dashboard and all workspaces in the organization.
Member	Can have full access to any workspace they are added to. No access to the Admin Dashboard.
View-Only Member	Read-only access to workspaces they are added to. Cannot be granted write permissions in any workspace.

New users are assigned the Member role by default. Organization admins can change a user's role from the Users page in the Admin Dashboard.

Workspace roles

Workspace roles control what users can do within a specific workspace. Users can have different roles in different workspaces.

Default roles

These roles are available in all Opik organizations and serve as the basis for custom roles:

Role	Description
Manage	Full admin access. Manage members, settings, and all resources.
Write	Read-write access. Create projects, log traces, run experiments.
Annotate	Annotation access. View data and add annotations/feedback.
Read	Read-only access. View all data but cannot make changes.

Permissions by role

The table below shows the default permissions for each role. Custom roles can combine these permissions differently.

Group	Permission	Manage	Write	Annotate	Read
Admin	Invite users to workspace	Yes	Yes	No	No
Admin	Configure workspace settings	Yes	No	No	No
Admin	Define AI providers	Yes	Yes	No	No
Experiment management	Change project settings	Yes	No	No	No
Experiment management	Approve and manage models	Yes	No	No	No
Observability	Create projects	Yes	Yes	No	No
Observability	Delete projects	Yes	Yes	No	No
Observability	View logs	Yes	Yes	Yes	Yes
Observability	Log trace, span, or thread	Yes	Yes	No	No
Observability	Delete trace	Yes	Yes	No	No
Observability	Annotate trace, span, or thread	Yes	Yes	Yes	No
Observability	Define online evaluation rule	Yes	Yes	No	No
Observability	Define alert	Yes	Yes	No	No
Observability	Create annotation queue	Yes	Yes	No	No
Dashboards	View dashboards	Yes	Yes	No	Yes
Dashboards	Edit dashboards	Yes	Yes	No	No
Dashboards	Create dashboards	Yes	Yes	No	No
Dashboards	Delete dashboards	Yes	Yes	No	No
Experiments	View experiments	Yes	Yes	No	Yes
Experiments	Create experiment ¹	Yes	Yes	No	No
Datasets	View datasets and test suites	Yes	Yes	No	Yes
Datasets	Create datasets and test suites	Yes	Yes	No	No
Datasets	Edit datasets and test suites	Yes	Yes	No	No
Datasets	Delete datasets and test suites	Yes	Yes	No	No
Annotation queues	View annotation queues	Yes	Yes	Yes	Yes
Annotation queues	Create annotation queue	Yes	Yes	No	No
Annotation queues	Edit annotation queue	Yes	Yes	No	No
Annotation queues	Delete annotation queue	Yes	Yes	No	No
Annotation queues	Export annotation queue results	Yes	Yes	Yes	Yes
Playground	Use playground	Yes	Yes	No	No
Optimization	View Optimization runs	Yes	Yes	No	Yes
Optimization	Delete Optimization runs	Yes	Yes	No	No
Optimization	Use optimization studio ²	Yes	Yes	No	No

¹ Requires the Log trace, span, or thread permission.

² Requires Log trace, span, or thread, Annotate trace, span, or thread, and Create experiment permissions.

Custom roles

<Note> Custom roles are available on Enterprise plans. [Reach out](https://www.comet.com/site/about-us/contact-us/) to enable this feature. </Note>

To create a custom role:

1. Go to Admin Dashboard > Roles & Permissions.
2. Click Create Role and configure permissions.
3. Inherit from an existing role as a starting point.

Assigning roles

Roles can be updated in different places depending on the role type:

• Organization roles can be updated by organization admins in Admin Dashboard > Users.
• Workspace roles can be updated in Configuration > Members by any user with the Manage workspace role.

Next steps

• Configure authentication with role mapping.
• Manage users and assign roles.
• Create service accounts with appropriate workspace access.