Access Control (RBAC)
Role-based access control lets you define who can do what in your organization.
Built-in Roles
| Role | Description |
|---|---|
| Owner | Full access including billing and org deletion |
| Admin | User management, settings, full API access |
| Editor | Upload, edit, delete documents; full search |
| Viewer | Read-only access to documents and search |
Permissions Matrix
| Permission | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View documents | Yes | Yes | Yes | Yes |
| Search | Yes | Yes | Yes | Yes |
| Upload documents | Yes | Yes | Yes | No |
| Delete documents | Yes | Yes | Yes | No |
| Manage users | Yes | Yes | No | No |
| Manage settings | Yes | Yes | No | No |
| Manage billing | Yes | No | No | No |
| Delete organization | Yes | No | No | No |
Assigning Roles
python
# Invite user with role
client.users.invite(
email="user@example.com",
role="editor"
)
# Update existing user role
client.users.update("user_123", role="admin")Custom Roles (Enterprise)
Create custom roles with specific permissions:
python
client.roles.create({
"name": "Reviewer",
"permissions": [
"documents:read",
"search:execute",
"documents:comment"
]
})Resource-Level Permissions
Restrict access to specific documents or collections:
python
client.permissions.grant({
"user_id": "user_123",
"resource_type": "collection",
"resource_id": "col_legal",
"permission": "read"
})API Key Scopes
Limit API key permissions:
python
key = client.api_keys.create({
"name": "Search Only",
"scopes": ["search:execute"]
})