# Roles & Permissions ## Overview Kognitos uses a **role-based access control (RBAC)** system to manage who can access your automations and what actions they can perform. Roles can be assigned at two levels: 1. **Organization**: Grants access and permissions across **all workspaces** in the organization 2. **Workspace**: Limits access and permissions to a **specific workspace** in the organization ## Organization-Level Roles Organization-level roles provide broad access across all workspaces in an organization. These roles are designed for executives and administrators who need organization-wide visibility and control. ### 1. Account Owner Has complete administrative control over the entire organization and all its workspaces. {% hint style="info" %} This role is automatically assigned to whoever owns the organization. Ownership can be **transferred** by either the current owner or the Kognitos support team. {% endhint %} ### 2. Org Admin Has near-complete administrative access across the organization and all its workspaces, except the Org Admin cannot delete the organization or remove the current Account Owner. ### 3. CXO Provides high-level, read-only oversight across the organization. It is designed for executives who need visibility into performance and metrics without operational access. ### Organization-Level Permissions | Permission | Account Owner | Org Admin | CXO | | ------------------------------------ | ------------- | --------- | --- | | **View Workspaces** | ✅ | ✅ | ✅ | | **Create Workspaces** | ✅ | ✅ | ❌ | | **Edit Workspaces** | ✅ | ✅ | ❌ | | **Delete Workspaces** | ✅ | ✅ | ❌ | | **Delete Organization** | ✅ | ❌ | ❌ | | **Manage Users** (Add, Edit, Remove) | ✅ | ✅ | ❌ | | **Manage Org Preferences** | ✅ | ✅ | ❌ | | **View Automation Aggregates** | ✅ | ✅ | ✅ | | **View Automation Runs** | ✅ | ✅ | ✅ | | **Archive Runs** | ✅ | ✅ | ❌ | | **Manage Notification Preferences** | ✅ | ✅ | ✅ | | **Manage Org-Level API Keys** | ✅ | ✅ | ❌ | ## Workspace-Level Roles Workspace-level roles are scoped to individual workspaces. Users can have different roles across different workspaces based on their responsibilities in the automation workflow. ### 1. Workspace Admin Complete control within a workspace, including automations, exceptions, guides, and connections. ### 2. Automation Author Focused on developing and testing automations. Can create, edit, fork, restore, validate, publish, and invoke automations. ### 3. Automation Operator Focused on day-to-day execution. Can run and monitor automations, manage runs, resolve exceptions, and read guides, but cannot modify automations. ### 4. Member This role has limited access to invoke automations and observe their execution. It can view runs and exceptions, but it cannot create, modify, publish, schedule, delete, or configure any system resource. ### 5. IT / Integrator Manages integrations, connections, and credentials. Has no access to automation logic or exceptions, ensuring clear separation between integration management and process execution. ### Workspace-Level Permissions | Permission | Workspace Admin | Author | Operator | Member | IT / Integrator | | ------------------------------------------- | --------------- | ------ | -------- | ------ | --------------- | | **Edit/Delete Workspace** | ✅ | ❌ | ❌ | ❌ | ❌ | | **Manage Users** (Add, Edit, Remove) | ✅ | ❌ | ❌ | ❌ | ❌ | | **View Connections** | ✅ | ✅ | ❌ | ❌ | ✅ | | **Manage Connections** (Add, Edit, Remove) | ✅ | ❌ | ❌ | ❌ | ✅ | | **Manage Books** (Add, Edit, Remove) | ✅ | ❌ | ❌ | ❌ | ✅ | | **View Automations** | ✅ | ✅ | ✅ | ✅ | ❌ | | **Create Automations** | ✅ | ✅ | ❌ | ❌ | ❌ | | **Edit Automations** | ✅ | ✅ | ❌ | ❌ | ❌ | | **Delete Automations** | ✅ | ✅ | ❌ | ❌ | ❌ | | **Fork Automations** | ✅ | ✅ | ❌ | ❌ | ❌ | | **Publish Automations** | ✅ | ✅ | ❌ | ❌ | ❌ | | **Invoke Automations** | ✅ | ✅ | ✅ | ✅ | ❌ | | **View Runs** | ✅ | ✅ | ✅ | ✅ | ❌ | | **Manage Runs** (Start, Control) | ✅ | ✅ | ✅ | ❌ | ❌ | | **Archive Runs** | ✅ | ✅ | ✅ | ❌ | ❌ | | **Manage Schedules** (Create, Edit, Delete) | ✅ | ✅ | ❌ | ❌ | ❌ | | **View Exceptions** | ✅ | ✅ | ✅ | ✅ | ❌ | | **Manage Exceptions** (Control, Resolve) | ✅ | ✅ | ✅ | ❌ | ❌ | | **View Guides** | ✅ | ✅ | ✅ | ❌ | ❌ | | **Manage Guides** (Create, Edit, Delete) | ✅ | ✅ | ❌ | ❌ | ❌ | | **View Platform Resources** (Read-Only) | ✅ | ✅ | ✅ | ❌ | ❌ | | **Manage Notification Preferences** | ✅ | ✅ | ✅ | ✅ | ❌ | | **Send Chat Messages** | ✅ | ✅ | ✅ | ❌ | ❌ | | **Manage API Keys** (Add, Edit, Revoke) | ❌ | ❌ | ❌ | ❌ | ✅ | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kognitos.com/guides/administration/roles-and-permissons.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.