Skip to main content

Documentation Index

Fetch the complete documentation index at: https://explore.airia.com/llms.txt

Use this file to discover all available pages before exploring further.

Early Access: Custom Roles is rolling out to tenants in stages. If Settings → People & Access does not show Roles and Permissions for your tenant yet, contact your Airia representative for access. This page will be updated as Custom Roles becomes generally available.
Custom Roles let you define your own roles with a hand-picked set of permissions, in addition to the Default Roles that ship with Airia. Use a custom role when none of the Default Roles match the access you want to grant — for example, a reviewer who can read agents and catalog content but cannot change platform settings. Custom roles are scoped to your tenant and can be assigned to users and groups just like Default Roles.

Default vs custom roles

Two role types coexist in Settings → People & Access → Roles and Permissions:
  • Default Roles ship with the product and cannot be edited or deleted. They cover the most common access patterns out of the box.
  • Custom Roles are roles you define with your own name, description, and permission set. You can edit, duplicate, and delete them.
Both types appear in the same list and in role pickers throughout the product, tagged with a Default Role or Custom Role badge. The Default Roles available in every tenant are:
RoleDescription
Platform AdminSuper administrator with access to all tenants and platform-level operations
AdminFull administrator within a tenant
Read-Only AdminAdministrator with read-only access to tenant data
Security AdminAdministrator with credential management permissions
Project AdminProject-level administrator with write access to assigned projects only
End UserStandard user with basic access

Create a custom role

1

Open Roles and Permissions

Go to Settings → People & Access → Roles and Permissions.
2

Click Add New Role

Select Add New Role in the top-right corner.
3

Name the role

Enter a Role Name (required). Add a Description to help other admins understand the role’s purpose (optional).
4

Select permissions

Permissions are grouped by feature area (Catalog, Common, Community, Gateway, Governance, Marketplace, MCP, Security, Settings, and Studio). Expand a group to choose individual permissions, or use the Select all checkbox next to a group to grant it in full. Most permissions offer Manage and Read levels — pick the least-privileged level that does the job. Use the search box to find a permission by name.
5

Save the role

Click Create Role. The role becomes available to assign immediately.

Edit a custom role

1

Open the role's menu

On the Roles and Permissions list, click the menu at the end of the custom role’s row and choose Edit Role.
2

Update the role

Change the name, description, or permission selections.
3

Save your changes

Click Save. (Save stays disabled until you make a change.)
Editing a custom role updates the effective permissions of every user and group it’s assigned to. Changes can take up to 5 minutes to apply to active sessions.

View a Default Role’s permissions

You can’t edit a Default Role, but you can open it to inspect its permission set in read-only mode. Click anywhere on a Default Role’s row in the list, or open its menu and choose View Role. To build a role based on a Default Role’s permissions, duplicate it instead (see below).

Duplicate a role

Both Default and Custom Roles can be duplicated. Duplicating is the only way to base a new, editable role on a Default Role’s permission set without selecting every permission by hand.
1

Open the role's menu

Click the menu next to the role and choose Duplicate Role.
2

Edit the copy

The new role is named Copy of <original> and opens in the editor pre-populated with the original’s permissions. Rename it, adjust permissions, and click Save.

Create a project-scoped role

A role created with Add New Role grants its permissions across the entire tenant. To create a role whose access is limited to specific projects — like the built-in Project Admin — you must duplicate an existing project-scoped role rather than starting from scratch.
There is no option to make a brand-new role project-scoped, and a tenant-wide role can’t be converted into one. To create a project-scoped custom role, open the menu on Project Admin (or another project-scoped role), choose Duplicate Role, then rename the copy and adjust its permissions — the duplicate stays project-scoped. When you assign it to a user or group, select the specific projects it applies to.

Delete a custom role

A custom role can only be deleted when it is not assigned to any users or groups. Remove it from everyone first, then delete it.
1

Remove all assignments

Reassign the affected users and groups to another role, or remove this role from them, under Settings → People & Access → People.
2

Open the role's menu

Click the menu on the custom role’s row and choose Delete Role.
3

Confirm

Confirm the deletion in the dialog.
If the role is still assigned to any user or group, the deletion fails. Remove all assignments first. Default Roles cannot be deleted.

Assign a custom role

Custom Roles are assigned exactly like Default Roles. Roles can be assigned to both Users and Groups under Settings → People & Access → People — see User Management for the invite and edit flows. When you assign roles, custom and default roles appear together in the same picker.

Working with permissions

Permissions are scoped to your tenant — granting a permission applies it across all instances of that resource in the tenant, not to a single item. They are organized into ten feature-area groups; the largest are Settings (admin surfaces), Studio (agent authoring), and Security (guardrails, feeds, and integrations). Because the catalog grows with the product, use the in-product search rather than memorizing the full list.

Frequently asked questions

No — Default Roles are immutable. Duplicate one to start from its permission set, then edit the copy.
Yes. A user’s effective permissions are the union of all roles assigned to them, plus any roles inherited from their groups.
No. A role must be removed from all users and groups before it can be deleted — otherwise the deletion fails. Reassign affected users to another role first.
No. Custom roles can’t be imported or exported, and they aren’t shared across tenants. Each tenant defines its own custom roles independently. If you operate multiple tenants, recreate each custom role in every tenant where you need it.
Up to 5 minutes for active sessions.