Roles and Privileges
AISentinel implements a comprehensive role-based access control (RBAC) system to ensure secure and appropriate access to features based on organizational needs.
User Roles
OWNER
Highest level of access with full administrative control.
Account Management:
- ✅ Delete account and all associated data
- ✅ Transfer ownership to another user
- ✅ Manage billing and subscription settings
Team Management:
- ✅ Invite new members to the organization
- ✅ Assign OWNER, ADMIN, or MEMBER roles to users
- ✅ Remove any member from the organization
- ✅ Manage all team settings
Configuration & Security:
- ✅ Modify all tenant configuration settings
- ✅ Configure security policies (URL whitelists, LLM settings)
- ✅ Set resource limits and quotas
- ✅ Enable/disable advanced features
API Keys:
- ✅ Create API keys with any permission level
- ✅ Mint execution tokens for side-effecting operations
- ✅ Manage all API keys in the organization
ADMIN
Elevated access for trusted team members who need to manage operations.
Account Management:
- ❌ Cannot delete account
- ❌ Cannot transfer ownership
- ❌ Limited billing access
Team Management:
- ✅ Invite new members to the organization
- ✅ Assign ADMIN or MEMBER roles (cannot assign OWNER)
- ✅ Remove members from the organization
- ✅ Manage team settings
Configuration & Security:
- ✅ Modify all tenant configuration settings
- ✅ Configure security policies (URL whitelists, LLM settings)
- ✅ Set resource limits and quotas
- ✅ Enable/disable advanced features
API Keys:
- ✅ Create API keys with any permission level
- ✅ Mint execution tokens for side-effecting operations
- ✅ Manage all API keys in the organization
MEMBER
Standard access for team members who need to use AISentinel features.
Account Management:
- ❌ No account-level permissions
Team Management:
- ❌ Cannot invite members
- ❌ Cannot change roles
- ❌ Cannot remove members
- ✅ View team member list
Configuration & Security:
- ✅ Modify personal preferences (LLM skip tools, cost estimation settings)
- ❌ Cannot modify security settings (URL whitelists, resource limits)
- ❌ Cannot modify LLM configuration or enable advanced features
API Keys:
- ✅ Create API keys (but cannot mint execution tokens)
- ❌ Cannot create privileged API keys
- ✅ Manage their own API keys
Permission Matrix
|
| Account Management | | | |
| Delete account | ✅ | ❌ | ❌ |
| Transfer ownership | ✅ | ❌ | ❌ |
| Manage billing | ✅ | ❌ | ❌ |
| Team Management | | | |
| Invite members | ✅ | ✅ | ❌ |
| Assign OWNER role | ✅ | ❌ | ❌ |
| Assign ADMIN role | ✅ | ✅ | ❌ |
| Assign MEMBER role | ✅ | ✅ | ❌ |
| Remove members | ✅ | ✅ | ❌ |
| View team | ✅ | ✅ | ✅ |
| Configuration | | | |
| Security settings (URL whitelist, etc.) | ✅ | ✅ | ❌ |
| Resource limits | ✅ | ✅ | ❌ |
| LLM configuration | ✅ | ✅ | ❌ |
| Advanced features | ✅ | ✅ | ❌ |
| Personal preferences | ✅ | ✅ | ✅ |
| API Keys | | | |
| Create privileged keys | ✅ | ✅ | ❌ |
| Mint execution tokens | ✅ | ✅ | ❌ |
| Create standard keys | ✅ | ✅ | ✅ |
| Manage own keys | ✅ | ✅ | ✅ |
| Manage all keys | ✅ | ✅ | ❌ |
Best Practices
For Organizations
- Limit OWNER roles to 1-2 trusted individuals
- Use ADMIN roles for team leads and trusted operators
- Regularly audit role assignments and API key usage
- Enable audit logging to track configuration changes
For Security
- API keys inherit creator permissions - only ADMIN/OWNER can create privileged keys
- Sensitive configurations require elevated roles - security settings can't be modified by standard members
- All configuration changes are logged for compliance and monitoring
Getting Help
If you need to change your role or need additional permissions, contact an OWNER or ADMIN in your organization.