Roles, Permissions & Invites
Workspaces are team-scoped. Role-based access control keeps sensitive actions limited to the right people while letting practitioners manage their own prompts.
Roles
| Role | Key permissions |
|---|---|
| Owner | Billing, plan changes, credit top-ups, workspace settings, invite/remove members, manage prompts/runs/groups/personas |
| Admin | Manage prompts, runs, personas, groups, analytics projects, API keys, invite members |
| Member | Create/edit prompts they own, view analytics, download sources, run prompts manually |
- Owners can promote/demote any member.
- Admins can invite members but cannot change billing or downgrade owners.
- Members can request ownership changes, which trigger notifications for admins and owners.
Inviting teammates
- Head to Settings → People.
- Click Invite teammate, enter their email, and choose a role.
- Optional: assign prompt groups they should monitor immediately.
- Invites expire after seven days. Resend or revoke from the same screen.
Removing access
- Deactivate users from Settings → People. Removing a user preserves their prompts and runs (ownership transfers to the workspace owner).
- Revoking a team member does not revoke API keys they created. Rotate keys separately under Settings → API.
Notification preferences
- Owners and admins receive email alerts for credit holds and run failures by default.
- Members can opt into prompt-level notifications from the prompt editor.
Audit log
- Critical events (role changes, prompt deletions, plan updates) appear in the activity log.
- Filter the log by user, action type, or date range for compliance reviews.
SSO & MFA
- Chatobserver authenticates users via email/password or Google. Enforce MFA at the identity provider level for additional protection.
- SAML support is on the roadmap; contact support if you need early access.