Use this matrix when you need a quick, reliable answer to who can do what across chatbots, tools, assistants, prompts, and personas in a workspace.
Last Reviewed
February 15, 2026
Scope
Workspace-level role and capability rules
Permission Formula
Chatbots, Tools, Assistants
Effective Permission = Workspace Role Capability AND Entity Capability AND Plan/Feature GatePrompts, Personas
Effective Permission = Workspace Role Capability AND Plan/Feature GateRole Baseline Capabilities
| Role | Contribute | Read | Run | Update | Delete | Transfer |
|---|---|---|---|---|---|---|
| Owner | Yes | Yes | Yes | Yes | Yes | Yes |
| Admin | Yes | Yes | Yes | Yes | Yes | No |
| Contributor | Yes | Yes | Yes | Yes | No | No |
| Reader | No | Yes | Yes | No | No | No |
| Guest | No | No | Yes | No | No | No |
Cross-Entity Role Matrix
| Role | Chatbots | Tools | Assistants | Prompts | Personas |
|---|---|---|---|---|---|
| Owner | Full access | Full access | Full access | Full access | Full access |
| Admin | View, run, edit, delete (no transfer) | View, run, edit, delete (no transfer) | View, run, edit, delete (no transfer) | View, add/edit, delete | View, add/edit, delete |
| Contributor | View, run, edit (no delete/transfer) | View, run, edit (no delete/transfer) | View, run, edit (no delete/transfer) | View, add/edit (no delete) | View, add/edit (no delete) |
| Reader | View and run only | View and run only | View and run only | View only | View only |
| Guest | Run-only, limited entry points | No workspace management access | No workspace management access | No workspace management access | No workspace management access |
Feature Gates That Still Apply
- Plan limits and feature entitlements can disable actions even when role permissions allow them.
- Transfer actions are explicitly role-capped and additionally checked by capability flags.
- Organization-level admin/owner privileges may grant elevated fallback access in some flows.
FAQ
How are effective permissions calculated?+
Permissions are computed using role capability, entity capability (where applicable), and plan/feature gates. The backend remains authoritative for every protected action.
Q1
Why can an Admin edit and delete but not transfer?+
Transfer is role-capped by default. Admin can manage most actions, but transfer to another workspace or organization is restricted unless explicitly allowed.
Q2
What is the difference between Contributor and Reader?+
Contributor can create and update workspace resources. Reader can view and run where allowed, but cannot create, edit, delete, or transfer.
Q3
Why can Guest sometimes run but not open workspace pages?+
Guest access is intentionally limited. Some run entry points may be available, but workspace management/detail pages are blocked.
Q4
Do prompts and personas use entity-level permission flags?+
In current implementation, prompt and persona flows are primarily workspace-capability driven and then filtered by plan/feature gates.
Q5
Can plan features still block actions if my role allows them?+
Yes. Role access does not bypass product/plan gates. If a feature is disabled in your plan, the action remains unavailable.
Q6
Related Pages
- Workspaces Overview
- AI Agents Permissions (Help)
- AI Tools Permissions (Help)
- AI Assistants Permissions (Help)
- Prompts Permissions (Help)
- Personas Permissions (Help)
- Workspaces Product Page
- AI Agents Permissions
- AI Tools Permissions
- AI Assistants Permissions
- Prompts API Permissions
- Personas API Permissions
- Security