Skip to main contentContextual AI is excited to introduce Role-Based Access Control (RBAC) in Preview. RBAC is exclusive to customers on our Provisioned Throughput plan. Please contact your account team for more information.
Admins can now define custom roles with tailored permission bundles across key objects — including Agents, Datastores, Billing, and other administrative features. Permissions can be scoped to specific Agents or Datastores, enabling finer-grained governance so every team member has the right level of access for their role.
Groups make access management even simpler: add multiple users to a Group, then assign that Group to a Role.
Roles
Navigating to the Roles Page
First, click Settings under Admin in the side-panel.
Next, click Roles under Access Control.
Default Roles
Your tenant comes with three default roles:
Admin: Default role with full access to agents, datastores, and workspace settings.User: Default role that every new user is automatically assigned to. This role does not come with any access to agents or datastores.Power User: Default role that grants read access to all agents and datastores.
By default, all new users are given the User role. They won’t be able to access agents or datastores until they’re assigned a Role with higher-level permissions.
Creating a Custom Role
You can create custom roles to meet your governance needs. Here are examples of custom roles you can create:
- Billing Admin – Access to billing and usage features
- Data Ingestor – Manage and ingest documents within specific Datastores
- Agent User – Query and interact with designated Agents
- Agent Admin – Maintain and optimize designated Agents
First, click “New Role” in the Roles page.
Second, input a Role Name and Description. Click “Create role”.
Configuring Role Permissions
After creating a Role, you will be automatically directed to the Role page. The first tab is for you to configure permissions. Click “Add Permission” to associate a permission with the Role.
You will need to select what type of object you want to grant access to. You have three options:
Agents: Select this to give permissions on an agentDatastores: Select this to give permissions on a DatastoreAdmin Tools: Select this to give access to admin functions like billing and annotating feedback.
You can then configure permissions relevant to the object type you selected.
Configuring Agent Permissions
On the left, you’ll see a list of available permissions. Each defines what actions the Role can take.
Query Agents: This permission will let assigned users query the agent.Manage Agents: This permission will let assigned users query the agent and edit its configs. It is a superset of Query Agents.Create Agents: This permission will let assigned users create an agent.
On the right, you’ll see the objects these permissions apply to.
- For
Query Agents and Manage Agents, you can select specific agents or select All Agents.
- The
Create Agents permission will apply globally.
Configuring Datastore Permissions
On the left, you’ll see a list of available permissions. Each defines what actions the Role can take.
Read Documents: This permission will let assigned users see the datastore and read documents inside.Manage Documents: This permission will let assigned users read documents, as well as upload/delete them. It is a superset of Read Documents.Manage Datastores: This permission will let assigned users manage documents, as well as edit the datastore configs. It is a superset of Manage Documents.Create Datastores: This permission will let assigned users create a datastore.
On the right, you’ll see the objects these permissions apply to.
- For
Read Documents , Manage Documents and Manage Datastores, you can select specific datastores or select All Datastores.
- The
Create Datastores permission will apply globally.
Note that if a user is granted Query Agents permission on an Agent but does not have Read Documents access to its linked Datastores, they will still be able to query data from those Datastores through the agent.
Configuring Admin Permissions
On the left, you’ll see a list of available permissions. Each defines what actions the Role can take.
Create Agents: This permission will let assigned users create an agent.Create Datastores: This permission will let assigned users create a datastore.Manage Billing & Usage: This permission will let assigned users view and configure the Billing page.Manage Feedback Annotation: This permission will let assigned users view and annotate agent-level feedback.
All these permissions apply globally.
Review your Permissions
Review all the permissions that you have provisioned for the Role. You can add more permissions or remove existing ones by clicking on the three dots beside each permission and clicking “Remove”.
Assigning a User to a Role
To assign a user to the Role, click the Assigned Users tab in the Roles Page.
Next, click “Assign Users”. You’ll be able to select multiple users to add to the role. Click “Confirm”.
Third, review the users you’ve added. You can add more users or remove existing ones by clicking on the three dots beside a user and clicking “Remove”.
You’re all set! The assigned users now have the access defined in this Role.
Dealing with Role Conflicts
If a user is assigned to two roles with different permissions on the same object, we will take the union of permissions. Example:
- User is assigned to
Role A which is given Query Agents on All Agents
- User is also assigned to
Role B which is given the higher-level Manage Agents on Agent A.
- Outcome:
- User will have
Manage Agents on Agent A
- User will have
Query Agents on every other agent.
Managing Roles
After creating a Role, you can return to its configuration page at any time. To do so, navigate to the Roles page and click on the Role you want to edit.
You can also delete a Role by clicking on the three dots beside it and clicking “Delete”.
Creating Agents and Datastores
If a user has created an Agent or Datastore, an owner Role will automatically be created with Manage Agent or Manage Datastore permissions. The user will automatically be assigned to that Role.
Groups
Navigating to the Groups page
Groups can help simplify access management. You can add multiple users to a Group and assign the Group to a Role.
First, click Settings under Admin in the side-panel.
Next, click “Groups” under “Access Control”.
Creating a Group
Click “New Group”.
Fill in Group Name and Description
Click “Create group”. You’ll be automatically redirected to the Group page.
Assigning Users to the Group
Click the tab “Assigned Users”.
Click “Assign Users” and select the users you want to include in the Group. Click “Confirm”.
Review the users you have added. You can add more users to the Group or remove existing users by clicking the three dots and clicking “Remove”.
Associating a Group with a Role
Navigate to the first tab: “Roles”.
Click “Add Roles”.
You can select roles to associate with your Group.
Click “Add Roles”. You can add more roles or remove existing ones by clicking on the three dots and clicking “Remove”.
You’re set! Members of the Group now have have the access defined in the attached Roles.
Managing a Group
After creating a Group, you can return to its configuration page at any time. To do so, navigate to the Groups page and click on the Group you want to edit.
You can also delete a Group by clicking on the three dots beside it and clicking “Delete”.
