- Feature area — the top-level group (Studio, Settings, Security, …).
- Capability — a specific feature within that area (for example Users, Guardrails, Models).
- Access level — what you can do with it. The common levels are:
- Read — view only.
- Manage — full write access (create, update, and delete).
- Browse / View page — open the feature’s page or area in the UI, with no data changes.
- A few areas use finer levels — for example Budgets uses All / Project / Your own scopes.
A user’s effective permissions are the union of every role assigned to them, directly or inherited from a group.
If a permission described here doesn’t appear in your role builder, it’s tied to a feature that isn’t enabled for your account yet. Contact your Airia representative if you need it.
Studio
Building, deploying, and operating agents, pipelines, models, tools, data sources, and related Studio assets.| Capability | Level | What it grants |
|---|---|---|
| Administration | Read | Access the System Agents settings — view system agents, enable/disable them, configure overrides, and pin/unpin versions (this single permission gates the whole System Agents area, including changes) |
| Agents & Pipelines | Read | List/view agents |
| Agents & Pipelines | Manage | Create, update, delete, execute, deploy, export, and version agents, and view feedback and requests |
| Assistants | Read | View assistants |
| Assistants | Manage | Create, update, and delete assistants |
| Attachments | Read | View/refresh attachment URLs |
| Attachments | Manage | Upload and delete attachments |
| Code Steps | Execute | Execute code steps in pipelines |
| Dashboard | Read | View usage dashboard, top agents, models, and tools |
| Data Sources / Connectors | Read | View data sources |
| Data Sources / Connectors | Manage | Create, update, and delete data sources |
| Deployments | Read | View deployments |
| Deployments | Manage | Create, update, delete, pin/unpin deployments, manage API keys, and run batch operations |
| Evaluations | Read | View evaluations |
| Evaluations | Manage | Create, clone, and delete evaluations |
| Execution Logs | Read | View pipeline execution logs |
| Execution Logs | Manage | Delete pipeline execution logs |
| Feeds | Consumption / Conversation / Execution / Gateway / Ingestion / Processing | View the corresponding activity and monitoring feed |
| Insights | Read | View insights dashboard |
| Jobs | Read | View jobs and results |
| Jobs | Manage | Create, delete, and execute (rename/cancel/retry) jobs |
| Knowledge Graphs | Read | View knowledge graphs |
| Knowledge Graphs | Manage | Create, update, and delete knowledge graphs |
| MCP Servers | Read | View MCP servers available to attach to agents as tools |
| MCP Servers | Manage | Create, update, and delete MCP servers used as agent tools |
| Memories | Read | View memories |
| Memories | Manage | Create, update, and delete memories |
| Models | Read | View available models |
| Models | Manage | Add, update, and remove models |
| Model Deprecation | Read | View model deprecation banners |
| Model Deprecation | Manage | Dismiss banners and bulk replace deprecated models |
| Projects | Read | List/view projects |
| Projects | Manage | Create, update, delete, pin/unpin, and archive projects |
| Prompts | Read | View reusable prompt templates used when building agents |
| Prompts | Manage | Create, update, and delete reusable prompt templates |
| Schedules | Read | View deployment schedules |
| Schedules | Manage | Create, update, and delete deployment schedules |
| Skills | Read | Browse skills page and view skills repositories |
| Skills | Manage | Create, update, and delete skills repositories |
| Smart Scan | Read | View smart scans |
| Smart Scan | Manage | Create, update, delete, and execute (retry/cancel) smart scans |
| Smart Scan Templates | Read | View SmartScan template groups |
| Smart Scan Templates | Manage | Create and delete SmartScan template groups |
| Tools | Read | View tools |
| Tools | Manage | Create, update, and delete tools |
| User Prompts | Read | View prompts saved by individual users |
| User Prompts | Manage | Create, update, and delete prompts saved by individual users |
| User Tasks | Read | Browse routines page and view user tasks and routines |
| User Tasks | Manage | Create, update, and delete user tasks and routines |
Gateway
AI Gateway and MCP Gateway configuration, monitoring, swarm, and resilience.| Capability | Level | What it grants |
|---|---|---|
| AI Gateway | Read | View AI gateway configs |
| AI Gateway | Read All | View all AI gateway configs across the tenant |
| AI Gateway | API Keys | Manage gateway API keys |
| AI Gateway | Manage | Create, update, delete gateway configs, and manage gateway API keys |
| MCP Gateway | Read | View MCP gateway list |
| MCP Gateway | Manage | Create, update, and delete MCP gateway servers |
| MCP Monitoring | Read | View MCP monitoring |
| Analytics / Monitoring | Read | View gateway monitoring |
| Resilience Rules | Read | View resilience rules |
| Resilience Rules | Manage | Create, update, and delete resilience rules |
| Swarm Management | Read | View swarm config |
| Swarm Management | Manage | Create, update, and delete swarm config |
Catalog
End-user catalog surfaces: chat spaces and enterprise search.| Capability | Level | What it grants |
|---|---|---|
| Enterprise Search | Read | Use enterprise search to find files across data store connectors |
| Chat Spaces | Read | View chat spaces |
| Chat Spaces | Manage | Create and update chat spaces |
Enterprise Search appears in two places: this Catalog permission grants the end-user search experience (finding files across connectors). The Settings → Enterprise Search permission grants the admin configuration of that feature (connecting data sources, deploying the integration).
Common
Cross-cutting capabilities every user touches: profile, conversations, artifacts, files, voice, and agent execution.| Capability | Level | What it grants |
|---|---|---|
| Agents | Execute | Execute an agent / pipeline (run a chat turn or job) |
| Artifacts | Read | View artifacts |
| Artifacts | Manage | Create and update artifacts |
| Conversations | Manage | Create, update, and delete conversations |
| Document Generation | Manage | Generate, convert, and process documents |
| OAuth Providers | Read | View own OAuth provider connection status |
| OAuth Providers | Manage | Authorize OAuth provider for user account |
| Profile | Read | View own profile |
| Profile | Manage | Update own profile |
| Roles | Read | View available roles |
| Text-to-Speech | Manage | Synthesize text to speech |
| User Files | Read | List and download user store files |
| User Files | Manage | Upload, rename, and delete user store files and folders |
| Voice Chat | Manage | Create voice chat sessions |
Governance
AI governance: use cases, assessments, risk registry, frameworks, workflows, disclosures, and AI-asset inventory.| Capability | Level | What it grants |
|---|---|---|
| AI Assets | Read | View AI assets |
| AI Assets | Manage | Create, update, and delete AI assets |
| AI Asset Metadata | Read | View AI asset metadata |
| AI Asset Metadata | Manage | Create, update, and delete AI asset metadata |
| Assessments | Read | View assessments |
| Assessments | Manage | Create, update, and delete assessments |
| Dashboard | Read | View governance dashboard |
| Disclosures | Read | View disclosures |
| Disclosures | Manage | Create, update, and delete disclosures |
| Frameworks | Read | View governance frameworks |
| Frameworks | Manage | Create, update, and delete governance frameworks |
| Risk Registry | Read | View risk registry |
| Risk Registry | Manage | Create, update, and delete risk entries |
| Governance Settings | Read | View governance settings |
| Governance Settings | Manage | Update governance settings and approver configuration |
| Use Cases | Read | View use cases |
| Use Cases | Manage | Create, update, and delete use cases |
| Workflows | Read | View governance workflows |
| Workflows | Manage | Create, update, and delete governance workflows |
Security
Security and compliance: guardrails, constraints, red teaming, posture management, SASE, code scanning, the AI app catalog, and audit-entry suppression.| Capability | Level | What it grants |
|---|---|---|
| AI App Catalog | Read | View AI app catalog |
| AI App Catalog | Manage | Block/unblock AI apps |
| Audit | Read | View suppressed audit entries |
| Audit | Manage | Suppress audit log entries |
| Security Center | Read | View security center |
| Security Center | Manage | Manage security center configuration |
| Code Scanner | Read | View scan results |
| Code Scanner | Manage | Execute scans |
| Agent Constraints | Read | View constraints |
| Agent Constraints | Manage | Create, update, and delete constraints |
| Endpoint Agent Policies | Manage | Manage endpoint agent security policies |
| Feeds | Cloudflare / Constraints / DLP / Events / Integration / Responsible AI / Violations | View the corresponding security monitoring feed |
| Guardrails | View page | Open the Guardrails page |
| Guardrails | Read | View guardrails |
| Guardrails | Manage | Create, update, and delete guardrails |
| Red Teaming | Read | View red team campaigns |
| Red Teaming | Manage | Create, delete, evaluate campaigns, and view/generate datasets |
| SASE Integration | Read | View Shadow AI configs |
| SASE Integration | Manage | Create, update, and delete Shadow AI configs |
| Security Posture Management | Read | View SPM dashboard |
| Security Posture Management | Manage | Create, update, delete, refresh, and connect SPM configs |
Security → Audit controls audit-entry suppression (hiding entries from the audit log). To let a role view the tenant audit log instead, use Settings → Audit Logging → Read.
Community
Private community library: agents, submissions, memberships, invite codes, contributors, and sharing.| Capability | Level | What it grants |
|---|---|---|
| Agents | Read | Browse the agent catalog in communities |
| Communities | Read | Browse private communities page and list/view communities the tenant is a member of |
| Communities | Manage | Create, update, and delete communities |
| Contributors | Read | View community contributors |
| Contributors | Manage | Update community contributors |
| Invite Codes | Read | View community invite codes |
| Invite Codes | Manage | Create and revoke community invite codes |
| Memberships | Read | View member lists in communities |
| Memberships | Manage | Invite tenants, revoke, change roles, and accept/decline invites |
| Sharing | Read | Share agents and resources with the community |
| Submissions | Read | View community submissions |
| Submissions | Review | Approve or reject submissions |
| Submissions | Manage | Create, submit, review, approve, reject, and update submissions |
| Users | Read | View community users |
| Users | Manage | Create, update, and delete community users |
Marketplace
Marketplace library, billing/subscriptions, and transactions.| Capability | Level | What it grants |
|---|---|---|
| Billing | Read | View billing portal and subscription info |
| Billing | Subscribe | Start a new subscription / service-pack checkout via the paywall |
| Billing | Manage | Create payments and checkout sessions |
| Library | Read | View marketplace library (models, agents, prompts) |
| Transactions | Read | View financial transactions and receipts |
MCP
Model Context Protocol gateway: servers, analytics, and tenant access.| Capability | Level | What it grants |
|---|---|---|
| Analytics | Read | View MCP analytics and usage |
| Servers | Read | Browse the custom remote MCP servers page and view individual servers |
| Servers | Manage | Create, update, and delete custom remote MCP servers |
| Tenant Access | Manage | Manage tenant server access |
Three MCP surfaces, three permission groups: Studio → MCP Servers (
Studio area above) attaches MCP servers to agents as tools; Gateway → MCP Gateway (Gateway area) is the hosted gateway that proxies and secures MCP traffic tenant-wide; MCP → Servers (here) registers the individual custom remote MCP servers exposed through that gateway.Budgets
Budget management — viewing and updating company, project, and personal budgets.| Capability | Level | What it grants |
|---|---|---|
| All budgets | Browse | Navigate through budget management views |
| All budgets | Read | Read all budgets: company, project, user, or gateway |
| All budgets | Update | Update all budgets: company, project, user, or gateway |
| Project budgets | Read | Read budgets for projects you belong to |
| Project budgets | Update | Update budgets for projects you belong to |
| Your own budget | Read | Read your own budget |
| Your own budget | Update | Update your own budget |
Settings
Organization administration: users, groups, SSO/SCIM, credentials, API keys, branding, data retention, and other tenant settings.| Capability | Level | What it grants |
|---|---|---|
| Account Settings | Read | View tenant/account info |
| Account Settings | Manage | Update tenant/account settings |
| Airia Agent | View page | Open the Airia Agent settings page |
| API Keys | Read | List/view API keys |
| API Keys | Manage | Create, update, delete, and generate API keys and view key scopes |
| Audit Logging | Read | View the tenant audit log |
| Branding | View page | Open the Branding settings page |
| Branding | Read | View branding config |
| Branding | Manage | Create, update, and delete branding |
| Build with AI | Read | View config |
| Build with AI | Manage | Update Build with AI config |
| Classifications | View page | Open the Classifications settings page |
| Classifications | Read | View classifications |
| Classifications | Manage | Create, update, and delete classifications |
| Cloud Connector | Read | View connected accounts |
| Cloud Connector | Manage | Configure connector groups |
| Credentials | View page | Open the Credentials settings page |
| Credentials | Read | List/view stored credentials (provider API keys, OAuth tokens, passwords) |
| Credentials | Manage | Create, update, and delete stored credentials |
| Custom Credentials | View page | Open the Custom Credentials settings page |
| Custom Credentials | Read | List/view custom-type credentials (admin-defined fields, e.g. an API key sent as an HTTP header) |
| Custom Credentials | Manage | Create, update, and delete custom-type credentials |
| Data Retention | Read | View retention settings |
| Data Retention | Manage | Update retention settings |
| Departments | View page | Open the Departments settings page |
| Departments | Read | List departments |
| Departments | Manage | Create, update, delete, and reorder departments |
| Enterprise Search | Read | View search config |
| Enterprise Search | Manage | Update enterprise search config |
| Extensions | Read | View extensions |
| Extensions | Manage | Create, update, and delete extensions |
| External Identity Provider | Read | View external IDP config |
| External Identity Provider | Manage | Save and validate external IDP config |
| External Monitoring | Read | View external OTEL monitoring data |
| Groups | Read | List/view groups |
| Groups | Manage | Create, update, delete, and bulk re-invite groups |
| Impersonation | Read | View impersonation client |
| Impersonation | Manage | Generate impersonation tokens |
| License Keys | View page | Open the License Keys settings page |
| License Keys | Read | List license keys |
| License Keys | Manage | Add and delete license keys |
| Meetings | View page | Open the Meetings settings page |
| Meetings | Read | View meeting config |
| Meetings | Manage | Create, update, and delete meeting configs |
| Notifications | Read | Browse notifications page and view alerts and notification subscriptions |
| Notifications | Manage | Send, update, and close/archive notifications and alerts |
| OAuth Connectors | View page | Open the OAuth Connectors settings page |
| OAuth Connectors | Read | View OAuth connectors |
| OAuth Connectors | Manage | Create, update, and delete OAuth connectors |
| Omni Agent | Read | View OmniAgent configuration |
| Omni Agent | Manage | Update OmniAgent configuration |
| People | View page | Open the People page |
| Rate Limits | Read | View rate limits |
| Rate Limits | Manage | Update rate limits |
| School Day | Read | Open the School Day settings page |
| SIEM | Read | View SIEM settings |
| SIEM | Manage | Update SIEM settings |
| SSO / Identity Providers | Read | View SSO configuration |
| SSO / Identity Providers | Manage | Add, update, delete, import identity providers, and generate SCIM tokens |
| Tenant Images | Read | View tenant images |
| Tenant Images | Manage | Upload and delete tenant images |
| Tenant Metrics | Read | View tenant metrics |
| Tool Efficiency | Read | View tool efficiency dashboard |
| Users | Read | List/view users |
| Users | Manage | Create, update, delete, re-invite users, assign roles/groups, reset passwords, and run batch operations |
| User Sync | Manage | Sync users and groups |
| Webhooks | Read | List/view webhooks |
| Webhooks | Manage | Create, update, and delete webhooks |
Looking for how to create, edit, duplicate, or assign roles? See Custom Roles.