Principle of least privilege
Assign the minimum set of permissions needed for each role. Start with restrictive permissions and expand only when necessary. This reduces the risk of accidental or unauthorized changes.
Roles & Permissions
Organization
Security
What is RBAC?
Section titled “What is RBAC?”Role-Based Access Control (RBAC) lets you control who can access what within your organization. Instead of managing permissions per user, you define roles with specific permission sets and assign those roles to members. This simplifies access management and ensures consistent security policies.
Built-in roles
Section titled “Built-in roles”nara provides two built-in roles that cannot be deleted or renamed:
| Role | Description |
|---|---|
| Admin | Full access to all organization features, settings, members, agents, tools, and billing. Admins can manage roles, invite members, and configure integrations. |
| Member | Limited access to day-to-day features. Members can use agents and view tickets but cannot modify organization settings, manage members, or access billing. |
Creating custom roles
Section titled “Creating custom roles”-
Navigate to Settings > Roles & Permissions.
-
Click Create Role.
-
Enter a name for the role (e.g., “Support Lead”, “Tool Manager”, “Viewer”).
-
Provide an optional description to help other admins understand the role’s purpose.
-
Select the permissions this role should grant. Permissions are grouped by feature area (see below).
-
Click Save. The role is now available for assignment to members.
Defining permissions
Section titled “Defining permissions”Permissions provide granular access control across feature areas. When creating or editing a role, select the permissions that members with this role should have:
| Permission area | Examples |
|---|---|
| Agents | Create agents, edit agent configuration, delete agents, view agent list |
| Tools | Manage tools, assign tools to agents, view tool registry |
| Deployments | Create deployments, manage connectors, view deployment status |
| Tickets | Create tickets, update ticket status, delete tickets, view all tickets |
| Members | Invite members, update roles, remove members |
| Organization | Edit organization settings, manage integrations, view billing |
| Memory | View knowledge graph, manage schemas, create objects |
Each permission can be independently enabled or disabled within a role, giving you fine-grained control over access.
Assigning roles to users
Section titled “Assigning roles to users”-
Navigate to Settings > Members.
-
Find the member you want to assign a role to.
-
Click the Role dropdown next to their name.
-
Select the role from the list (built-in or custom).
-
The assignment takes effect immediately. The member’s accessible features update on their next page load.
Unassigning roles
Section titled “Unassigning roles”To remove a role from a member:
-
Navigate to Settings > Members.
-
Find the member whose role you want to change.
-
Select a different role from the dropdown, or assign the default Member role.
-
The previous role is removed and the new role takes effect immediately.
Listing assignments
Section titled “Listing assignments”You can view role assignments from two perspectives:
Navigate to Settings > Roles & Permissions and click on a role to see all members (principals) currently assigned to it. This view is useful for auditing who has a particular set of permissions.
Navigate to Settings > Members to see each member’s assigned role in the list view. Click on a member to see their full role details and permissions.
Role management API
Section titled “Role management API”Roles and assignments can be managed programmatically:
| Method | Path | Description |
|---|---|---|
GET | /api/roles | List all roles in the organization |
POST | /api/roles | Create a new custom role |
GET | /api/roles/{id} | Retrieve a specific role and its permissions |
PUT | /api/roles/{id} | Update a role’s name, description, or permissions |
DELETE | /api/roles/{id} | Delete a custom role (built-in roles cannot be deleted) |
POST | /api/roles/{id}/assign | Assign a role to a user |
POST | /api/roles/{id}/unassign | Remove a role assignment from a user |
GET | /api/roles/{id}/principals | List all users assigned to a specific role |
Best practices
Section titled “Best practices”Role naming conventions
Use descriptive names that reflect the role’s purpose (e.g., “Support Agent Manager” instead of “Role 1”). Include a clear description so other admins understand the intent without inspecting individual permissions.
Regular audits
Periodically review role assignments to ensure members have appropriate access. Remove roles from members who no longer need them, and archive unused custom roles.
Avoid permission sprawl
Keep the number of custom roles manageable. If two roles have nearly identical permissions, consider consolidating them into one role with a clear name that covers both use cases.
Next steps
Section titled “Next steps” Organization Return to organization settings and member management.
License View your license status and seat allocation.
Authentication & Tokens Manage API tokens and authentication methods.