> ## Documentation Index
> Fetch the complete documentation index at: https://docs.langchain.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Role-based access control

This reference explains LangSmith's Role-Based Access Control (RBAC) system for managing organization-level and workspace-level permissions.

<Note>
  RBAC (Role-Based Access Control) is an Enterprise feature for managing workspace-level permissions. If you are interested in this feature, [contact our sales team](https://www.langchain.com/contact-sales). Other plans default to using the Admin role for all users.
</Note>

LangSmith's RBAC system manages user permissions within workspaces. RBAC allows you to control who can access your LangSmith [workspace](/langsmith/administration-overview#workspaces) and what they can do within it.

In LangSmith, each user has:

* One [**organization role**](#organization-roles) that applies across the entire organization (separate from workspace RBAC).
  * The Organization User and Organization Viewer roles are only available in organizations on [Plus and Enterprise plans](https://langchain.com/pricing). In Developer organizations (single workspace), all users are assigned the Organization Admin role by default.
* One [**workspace role**](#workspace-roles) per workspace they're a member of (requires Enterprise RBAC feature).

On Enterprise plans, organizations can create [custom workspace roles](#custom-roles) with granular permission combinations.

To learn how to set up RBAC and assign roles to users, refer to the [User Management guide](/langsmith/user-management#set-up-access-control). Your identity provider can also assign roles automatically via [SCIM groups](/langsmith/user-management#set-up-scim-for-your-organization) or [SSO Groups Sync](/langsmith/user-management#sso-groups-sync-alternative).

<Note>
  For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the [Organization and workspace reference](/langsmith/organization-workspace-operations).
</Note>

## Role types

### Organization roles

Organization roles are **distinct from the workspace RBAC feature** and are used to manage organization-wide capabilities. The roles are system-defined and cannot be modified or extended. The [Organization User](#organization-user) and [Organization Viewer](#organization-viewer) roles are only available in organizations on [Plus and Enterprise plans](https://langchain.com/pricing). In Developer organizations (single workspace), all users are assigned the [Organization Admin](#organization-admin) role by default.

| Role                                            | Description                                                                                           |
| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------- |
| [Organization Admin](#organization-admin)       | Full permissions to manage organization configuration, users, billing, and workspaces                 |
| [Organization Operator](#organization-operator) | Management access to workspaces and users for day-to-day operations, excluding admin-level privileges |
| [Organization User](#organization-user)         | Read access to organization information and ability to create personal access tokens                  |
| [Organization Viewer](#organization-viewer)     | Read-only access to organization information                                                          |

#### Organization admin

**Description**: Full permissions to manage all organization configuration, users, billing, and workspaces.

**Permissions**:

* `organization:manage` - Full control over organization settings, SSO, security, billing
* `organization:read` - Read access to all organization information
* `organization:pats:create` - Create organization-level [personal access tokens](/langsmith/administration-overview#personal-access-tokens-pats)

For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the [Organization and workspace reference](/langsmith/organization-workspace-operations).

**Key Capabilities**:

* Manage [organization settings](/langsmith/set-up-hierarchy#set-up-an-organization) and branding
* Configure [SSO and authentication methods](/langsmith/user-management#set-up-saml-sso-for-your-organization)
* Manage [billing](/langsmith/billing) and subscription plans
* Create and delete [workspaces](/langsmith/set-up-hierarchy)
* Invite and remove organization members
* Assign organization and workspace roles to members
* Create and manage [custom roles](#custom-roles)
* Configure RBAC and ABAC (Attribute-Based Access Control) policies
* View organization [usage](/langsmith/administration-overview#usage-limits) and analytics
* View [audit logs](/langsmith/audit-logs) (Enterprise)

For details on setting up and managing your organization, refer to the [Administration Overview](/langsmith/administration-overview#organizations).

#### Organization Operator

Management access for day-to-day operations including workspace and user management, but cannot manage Organization Admins or create organization-wide service keys.

**Permissions:**

* `organization:manage` - Control over organization settings, workspaces, and non-admin users
* `organization:read` - Read access to all organization information
* `organization:pats:create` - Create personal access tokens

For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the [Organization and workspace reference](/langsmith/organization-workspace-operations).

**Key Capabilities:**

* Create and manage [workspaces](/langsmith/set-up-hierarchy#set-up-a-workspace)
* Invite organization members (Organization User and Viewer roles only)
* Manage non-admin organization members (modify and remove Organization Users and Viewers)
* Assign workspace roles to members
* Create workspace-scoped service keys and service accounts
* View organization [usage](/langsmith/administration-overview#usage-limits) and analytics
* View [audit logs](/langsmith/audit-logs) (Enterprise)

**Restrictions:**

* Cannot invite, modify, or remove Organization Admins
* Cannot assign the Organization Admin role to users
* Cannot create organization-wide (non-workspace-specific) service keys
* Not automatically added to existing workspaces (only added to workspaces they create or are explicitly invited to)
* Cannot manage organization [billing](/langsmith/billing) or subscription plans
* Cannot configure [SSO or authentication methods](/langsmith/user-management#set-up-saml-sso-for-your-organization)
* Cannot create or manage [custom roles](#custom-roles)

#### Organization User

**Description**: Read access to organization information and ability to create personal access tokens.

**Permissions**:

* `organization:read` - Read access to organization information
* `organization:pats:create` - Create personal access tokens

For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the [Organization and workspace reference](/langsmith/organization-workspace-operations).

**Key Capabilities**:

* View organization members and workspaces
* View organization settings (but not modify)
* Create [personal access tokens](/langsmith/administration-overview#personal-access-tokens-pats) for API access
* Join workspaces they're invited to

**Restrictions**:

* Cannot modify organization settings
* Cannot manage billing or subscriptions
* Cannot create or delete workspaces
* Cannot invite or remove organization members
* Cannot manage roles or permissions

You can add an Organization User to a subset of workspaces and assigned workspace roles (if RBAC is enabled), which specify permissions at the workspace level.

#### Organization viewer

**Description**: Read-only access to organization information.

**Permissions**:

* `organization:read` - Read access to organization information

For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the [Organization and workspace reference](/langsmith/organization-workspace-operations).

**Key Capabilities**:

* View organization members and workspaces
* View organization settings

**Restrictions**:

* Cannot modify anything at the organization level
* Cannot create personal access tokens
* Cannot manage billing, workspaces, or members

### Workspace roles

Workspace roles are part of the **Enterprise RBAC feature** and control what users can do with resources inside a workspace:

| Role                                  | Description                                                                                       |
| ------------------------------------- | ------------------------------------------------------------------------------------------------- |
| [Workspace Admin](#workspace-admin)   | Full permissions for all resources, including workspace settings and member management            |
| [Workspace Editor](#workspace-editor) | Full permissions for most resources, cannot manage workspace settings or delete certain resources |
| [Workspace Viewer](#workspace-viewer) | Read-only access to all workspace resources                                                       |

<Note>
  RBAC (Role-Based Access Control) is a feature that is only available to [Enterprise](https://langchain.com/pricing) customers. If you are interested in this feature, [contact our sales team](https://www.langchain.com/contact-sales). Other plans default to using the Admin role for all users.
</Note>

#### Workspace admin

**Description**: Role with full permissions for all resources and ability to manage workspace.

**Permissions**:

* All create, read, update, delete, and share permissions for all resource types
* Workspace management capabilities

For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the [Organization and workspace reference](/langsmith/organization-workspace-operations).

#### Workspace editor

**Description**: Role with full permissions for most resources. Cannot manage workspace settings or delete certain critical resources.

**Key Differences from Admin**:

* Cannot delete [runs](/langsmith/observability-concepts#runs)
* Cannot manage workspace settings (change workspace name, etc.)
* Cannot manage workspace members (add, remove, or update member roles)

#### Workspace viewer

**Description**: Read-only access to all workspace resources.

**Permissions**: Read-only access to all resource types.

For a comprehensive list of required permissions along with the operations and roles that can perform them, refer to the [Organization and workspace reference](/langsmith/organization-workspace-operations).

<Tip>
  For step-by-step instructions on assigning workspace roles to users, refer to the [User Management guide](/langsmith/user-management#assign-a-role-to-a-user).
</Tip>

## Custom roles

<Info>Creating custom roles is available for organizations on the Enterprise plan.</Info>

[Organization Admins](#organization-admin) can create custom roles with specific combinations of permissions tailored to their organization's needs.

### Creating custom roles

Custom roles are created at the [organization](/langsmith/administration-overview#organizations) level and can be assigned to users in any [workspace](/langsmith/administration-overview#workspaces) within that organization.

**Steps**:

1. Navigate to Organization **Settings** > **Roles**.
2. Click **Create Custom Role**.
3. Select the permissions to include in the role.
4. Assign the custom role to users in specific workspaces.

For details on which specific permissions are required for each operation, refer to the [Organization and workspace operations reference](/langsmith/organization-workspace-operations).

Note the following details on custom roles:

* Custom roles can only be created and managed by Organization Admins.
* Custom roles are organization-specific (not transferable between organizations).
* Each custom role can have any combination of workspace-level permissions.
* Custom roles cannot have organization-level permissions.
* Users can have different roles (including custom roles) in different workspaces.

### Understand permission behavior

Some permissions offer granular control when used in custom roles:

* `workspaces:manage` does **not** include the ability to manage workspace members. To allow a custom role to add, remove, or update workspace members, you must explicitly grant `workspaces:manage-members`. The built-in Workspace Admin role includes both permissions automatically.
* `projects:increase-trace-tier` and `projects:decrease-trace-tier` are independent and can be granted separately. For example, you can allow a role to decrease retention without allowing it to increase retention. If a user lacks both permissions, the retention settings UI is hidden entirely. If they have only one, the UI is partially enabled (the disallowed direction is disabled).
* `projects:update` covers only metadata updates (name, description, tags) and does **not** grant the ability to change trace retention. To allow a custom role to modify trace tier, you must explicitly grant `projects:increase-trace-tier`, `projects:decrease-trace-tier`, or both.

***

<div className="source-links">
  <Callout icon="terminal-2">
    [Connect these docs](/use-these-docs) to Claude, VSCode, and more via MCP for real-time answers.
  </Callout>

  <Callout icon="edit">
    [Edit this page on GitHub](https://github.com/langchain-ai/docs/edit/main/src/langsmith/rbac.mdx) or [file an issue](https://github.com/langchain-ai/docs/issues/new/choose).
  </Callout>
</div>