Roles & Permissions
Understand the role-based access control system and what each role can do.
Pipelines uses a hierarchical role-based access control (RBAC) system. Each role inherits the permissions of the roles below it.
Role hierarchy
Org Admin
└── Project Admin (Owner or Viewer per project)
└── ContributorRole details
Org Admin
The highest-level role. Org Admins manage all resources within an organization and have implicit access to every project.
| Capability | Access |
|---|---|
| Manage projects | Create, edit, archive, delete any project in the org |
| Manage team | Invite users, assign roles across all projects |
| Organization settings | Models, MCP servers, API keys |
| Evaluation criteria | Create and manage org-scoped evaluation criteria |
| API keys | Create and manage API keys for external API access |
| All project operations | Full access to everything within every project |
Project Admin
Assigned per-project. A user can be a Project Admin on multiple projects, with different access levels on each. Each project assignment has one of two permission levels:
Owner
Full read/write access to the project.
| Capability | Access |
|---|---|
| Manage agents | Configure, edit, activate, pause, and archive the agents under test |
| Manage runs | Trigger runs, view all run data, edit evaluations, export |
| Data Explorer | Full access to run tables, derived columns, evaluations |
| Team (project) | Add/remove project team members, assign project-level roles |
Viewer
Read-only access to the project. Useful for stakeholders who need visibility without the ability to modify pipelines, tasks, or team configuration. Viewers see the same sidebar navigation as Owners, but all write actions are disabled.
| Capability | Access |
|---|---|
| View data | Read-only access to run data and agent configurations |
| Dashboards | View project and org dashboards |
| Team page | View the team roster (cannot add, remove, or modify members) |
| Agents | View agent configurations (cannot create, edit, activate, or manage) |
Viewers can see everything an Owner can see, but cannot create, edit, delete, publish, or manage anything. All restrictions are enforced at the API level — action buttons are hidden or disabled in the UI.
Contributor
The human-evaluation role. Contributors complete the human-eval tasks layered on agent runs within their projects.
| Capability | Access |
|---|---|
| Work queue | View and claim available evaluation tasks |
| Submit evaluations | Fill out forms and submit human evaluations of agent outputs |
| Review work | Complete reviews on assigned review nodes |
Personas
Users interact with the platform through two personas, each with its own sidebar navigation:
- Admin persona — shows the admin sidebar with project management, agent configuration, data explorer, team management, and organization settings.
- Contributor persona — shows the contributor sidebar with evaluation work queues and submitted evaluations.
Users who have both admin and contributor roles can switch between personas from the user menu:
- Click your name or avatar at the bottom of the sidebar to open the user menu.
- Select "Switch to Contributor" or "Switch to Admin".
The persona determines which navigation and features are visible, but does not change your underlying permissions.
The persona switch option only appears if your account has both admin and contributor roles. If you only have one role, you will not see this option.
Assigning roles
At the organization level
Org Admins manage users from the People page in the admin sidebar. From here you can invite new Org Admins or Project Admins, add contributors to projects, and manage role assignments. See Team Management for step-by-step instructions.
At the project level
Project Admin Owners manage team members from the project's Team page. Each user added to a project is assigned as either a Project Admin (Owner or Viewer) or a Contributor. See Team Management for details.
Contributor roles
Within a project, contributors can be further categorized using contributor types — custom labels that help organize human evaluators by function (e.g., "Domain Expert", "Safety Reviewer", "QA Specialist"). Contributor types are project-scoped and used for:
- Node claim restrictions — pipeline nodes can require a specific contributor type
- Per-type claim limits — maximum concurrent claims per contributor type
- Work schedule restrictions — per-type work schedules
- Task filtering — filter and assign evaluation tasks based on contributor type
See the Contributor types section in Team Management for how to manage them.