AI Assistants Permissions

Role-based access control for workspace-owned AI Assistants.

Policy Resolution

Assistant actions are evaluated from workspace role capability, assistant capability, and plan/feature gates.

Effective Permission = Workspace Role Capability AND Entity Capability AND Plan/Feature Gate

Operation To Gate Mapping

OperationGate
Open assistant editorcanRead
Run assistant chatcanRun
Edit behavior and promptcanUpdate
Publish or revertcanUpdate
Delete assistantcanDelete
Move across workspace or orgcanTransfer

Role Availability Matrix

RoleViewRunEdit/PublishDeleteTransfer
OwnerYesYesYesYesYes
AdminYesYesYesYesNo
ContributorYesYesYesNoNo
ReaderYesYesNoNoNo
GuestNoLimitedNoNoNo
Note:
Backend authorization is final for update, delete, transfer, and publish actions.

FAQ

How are assistant permissions calculated?+

Effective permission is computed from workspace role capability, assistant entity capability, and plan or feature gates.

Q1

Can Reader use assistants?+

Yes. Reader can view and run assistants where supported, but cannot edit, publish, delete, or transfer.

Q2

Can Contributor delete assistants?+

No. Contributor can create and update assistants but cannot delete or transfer them by default.

Q3

Can Admin transfer assistants by default?+

No. Transfer remains role-capped unless explicit transfer capability is granted.

Q4

Are backend checks still applied when buttons are visible?+

Yes. Backend authorization remains authoritative for every protected action.

Q5

Tip:
For cross-entity policy details, see Workspace Permissions Matrix.