What is Role-Based Access Control?
RBAC is an access control model built around three concepts:- Roles — Named groupings that represent a job function or authority level (e.g., admin, member)
- Permissions — Specific actions a role is allowed to perform (e.g., create connectors, manage members, view billing)
- Assignments — Users are placed into a role; they inherit all of that role’s permissions automatically
Benefits of RBAC
- Less per-user configuration — Set permissions once on a role; every user assigned to it inherits them automatically. Role changes (e.g., someone moving teams) are a single update, not a sweep across individual accounts.
- Least-privilege by default — Access is scoped to what each role needs. Sensitive areas like billing, SCIM, and org settings stay out of reach for general members without any extra effort.
- Consistent onboarding — New users get the right access on day one by assigning a role, with no risk of missing a permission or over-granting access.
- Easier compliance — Access is tied to named roles rather than individuals, making it straightforward to show auditors who can do what. See Audit Log for a record of actions taken.
Limitations of RBAC
- No record-level control — Permissions apply to a whole resource type, not individual records. You cannot restrict a member to only their team’s data within the same connector.
- Write bundles creation and editing — Granting
writeon a resource lets users both create their own and edit any publicly shared version of it. These cannot currently be separated. - Two roles may not fit every org — The built-in admin/member split covers most cases, but organizations with many distinct access tiers may find the options limiting.
- Roles need periodic review — Access that was appropriate when someone joined may not be correct six months later. Stale role assignments accumulate without active maintenance.
When to Use RBAC
TextQL’s role system works well for organizations that have a clear split between users who manage the platform (admins) and users who use it to run analyses (members). Most deployments follow this pattern. Where it requires more thought is when different groups of members need meaningfully different levels of access — for example, a team that should be able to publish connectors versus one that should only be able to run chats. In those cases, configure the member role to the most restrictive common baseline and use SCIM group mappings if your IdP can enforce the distinction at provisioning time.How to Configure RBAC in TextQL
TextQL has two system roles. Each user in your organization is assigned exactly one.| Role | Description |
|---|---|
| admin | Full read and write access to all permissions across the organization |
| member | Scoped access — can create and use core features, but cannot manage org-level settings, billing, SSO/SCIM, or other members |
Creating a Role
- Navigate to Settings → Roles
- Click Create Role and give it a name
- Click Manage Permissions on the new role to configure its permission set
- Toggle the permissions you want this role to have across each resource category
Assigning a Role
- Navigate to Settings → Members
- Find the user and click the role dropdown next to their name
- Select admin or member and confirm
Permission Reference
Each role is composed of granular permissions grouped by resource. Permissions follow a consistent pattern:read (public), read_private (private/org-wide), write (create/edit public), and write_private (create/edit private). Below is a full reference of every configurable permission and what it controls.
API Access Key
API Access Key
Controls access to API keys used to authenticate programmatic requests to TextQL.
Default member permissions:
| Permission | What it does |
|---|---|
read | View and use public API access keys |
read_private | View and use private API access keys |
write | Create and edit public API access keys |
write_private | Create and edit private API access keys |
read onlyBilling
Billing
Controls visibility into your organization’s usage and billing data.
Default member permissions: none — billing is admin-only
| Permission | What it does |
|---|---|
read | View billing usage data |
Chat
Chat
Controls access to conversation threads with Ana.
Default member permissions:
| Permission | What it does |
|---|---|
read | View public chat conversations |
read_private | View private chat conversations |
write | Create and edit public chats |
write_private | Create and edit private chats |
read, writeConnector
Connector
Controls access to data source connections. See Connectors for setup details.
Default member permissions:
| Permission | What it does |
|---|---|
read | View public connectors |
read_private | View private connectors |
write | Create and edit public connectors |
write_private | Create and edit private connectors |
write (public connectors only)Context
Context
Controls access to organization-level context prompts that Ana uses to give business-specific answers. See What is Context.
Default member permissions: none
| Permission | What it does |
|---|---|
read | View organization context prompts |
write | Create, update, and delete organization context prompts |
Dashboard
Dashboard
Controls access to persistent dashboards built from Ana’s outputs. See Dashboards.
Default member permissions:
| Permission | What it does |
|---|---|
read | View public dashboards and chat with them |
read_private | View dashboards marked as restricted access, even if not shared with you |
write | Create your own dashboards and edit any public dashboard |
write_private | Edit any dashboard in the org, including restricted-access dashboards not shared with you |
write (public dashboards)Dataset
Dataset
Controls access to datasets — structured data files that can be uploaded or generated by Ana.
Default member permissions:
| Permission | What it does |
|---|---|
read | View public datasets |
read_private | View private datasets |
write | Create and edit public datasets |
write_private | Create and edit private datasets |
write (public datasets only)Feed
Feed
Controls access to the feed — posts, comments, and agent activity visible across the organization.
Default member permissions:
| Permission | What it does |
|---|---|
read | View feed posts and comments |
write | Create posts, comments, and manage agents |
writeMCP
MCP
Controls access to MCP (Model Context Protocol) server configurations used to extend Ana with external tools and data sources.
Default member permissions:
| Permission | What it does |
|---|---|
read | Read MCP server configurations |
write | Write/modify MCP server configurations |
readMember
Member
Controls visibility and management of users in your organization.
Default member permissions:
| Permission | What it does |
|---|---|
read | View organization members |
write | Manage organization members (invite, remove) |
readNotifications
Notifications
Controls access to notification preferences and in-app alerts.
Default member permissions:
| Permission | What it does |
|---|---|
read | View own notifications and preferences |
write | Mark notifications read, update preferences |
writeOntology
Ontology
Controls access to the ontology — the structured map of your business data. See What is Ontology.
Default member permissions:
| Permission | What it does |
|---|---|
read | View ontology schema, objects, attributes, metrics, and relations |
read_private | View private ontologies |
write | Create, update, and delete ontology schema, objects, attributes, metrics, and relations |
write_private | Create and edit private ontologies |
readOrganization
Organization
Controls access to top-level organization settings such as name, appearance, and global configuration.
Default member permissions: none — org settings are admin-only
| Permission | What it does |
|---|---|
read | View organization settings |
write | Manage organization settings |
Packages
Packages
Controls access to installable packages that extend TextQL’s functionality.
Default member permissions:
| Permission | What it does |
|---|---|
read | View org packages |
write | Install/remove org packages |
readPlaybook
Playbook
Controls access to automated analysis workflows. See Playbooks.
Default member permissions:
| Permission | What it does |
|---|---|
read | View public playbooks |
read_private | View private playbooks |
write | Create and edit public playbooks |
write_private | Create and edit private playbooks |
write (public playbooks only)Role
Role
Controls whether a user can view or modify role configurations themselves.
Default member permissions:
| Permission | What it does |
|---|---|
read | View role settings |
write | Manage role settings |
readSCIM
SCIM
Controls access to SCIM provisioning tokens and OAuth clients used for automated user lifecycle management. See SCIM.
Default member permissions: none — SCIM is admin-only
| Permission | What it does |
|---|---|
read | View SCIM tokens and OAuth clients |
write | Create and revoke SCIM tokens and OAuth clients |
Secret
Secret
Controls access to secrets — credentials and API keys stored securely for use in code and connectors.
Default member permissions:
| Permission | What it does |
|---|---|
read | View and use secrets in code (own secrets) |
read_private | View all secrets in the organization |
write | Create, update, and delete own secrets |
write_private | Edit and delete any secret in the organization |
write (own secrets only)Usage
Usage
Controls visibility into organization-level usage metrics and ACU consumption data.
Default member permissions: none — usage data is admin-only
| Permission | What it does |
|---|---|
read | View organization usage metrics and ACU data |
Model Access
Model Access
Controls which AI models members can use and whether they can override the org default. See Model Management for full model management options.
Default member permissions: model switching disabled; allowed models and default set by admin
| Permission | What it does |
|---|---|
allow_model_switching | Users can override the default model in chat |
| Default Model | The model used when this role starts a new chat (defaults to Org Default) |
| Allowed Models | Which models this role can select from |
Permission levels for Chat, Playbook, and Dashboard
| Permission | What it means |
|---|---|
read | View public chats / playbooks and download all artifacts and outputs (CSVs, charts, PDFs). For Dashboard, also includes the ability to chat with the dashboard. |
read_private | View restricted-access resources that are not shared with you |
write | Create your own chat/playbook/dashboard and edit any publicly shared ones |
write_private | Create, edit, or delete any resource in the org regardless of its access settings or whether it was shared with you |
Provisioning Roles at Scale with SCIM
If your organization uses an identity provider like Okta or Azure AD, you can provision and deprovision users automatically and map IdP groups to TextQL roles using SCIM. This is the recommended approach for organizations with more than ~20 users, as it keeps roles in sync with your IdP without manual intervention.RBAC Best Practices
Default new users to member When unsure which role to assign, start with member and escalate to admin only when explicitly needed. Admin access should be limited to people who manage the organization’s settings and security configuration. Base roles on job function, not individuals If you find yourself needing highly customized permissions for a single person, it is usually a sign that the permission boundary is better handled at the connector or context level rather than a new role. Review role assignments periodically Run a quarterly review of your member list and their assigned roles. Look for users who have moved teams or changed responsibilities. The Audit Log can help surface accounts that have not been active recently. Pair with SSO and SCIM for lifecycle management Manual role assignment works for small teams, but human error accumulates. Connecting TextQL to your IdP via SSO and SCIM ensures that when someone leaves the company or changes teams, their TextQL access updates automatically. Restrict private resource access carefullyread_private and write_private permissions grant org-wide visibility into resources that individual users have intentionally kept private. Grant these sparingly and only to roles that genuinely need cross-user visibility.