Studio uses role-based access control (RBAC). When using Keycloak, roles and groups are read from the JWT token at login — no additional configuration needed in Studio.Documentation Index
Fetch the complete documentation index at: https://docs.alquimia.ai/llms.txt
Use this file to discover all available pages before exploring further.
Roles
| Role | Scope | Description |
|---|---|---|
platform-admin | Platform-wide | Full access to everything. Can manage workspaces, users, and all platform settings. |
org-admin | Organization | Can manage workspace settings, agents, and workspace members within their organization. |
editor | Workspace | Can create, edit, and delete agents and workspace settings (models, MCP, embeddings, sentinels). |
viewer | Workspace | Read-only access. Can view agents and settings but cannot create, edit, or delete anything. |
Permissions matrix
| Action | viewer | editor | org-admin | platform-admin |
|---|---|---|---|---|
| View agents | ✅ | ✅ | ✅ | ✅ |
| Test agents (Try Me) | ✅ | ✅ | ✅ | ✅ |
| Create agents | ❌ | ✅ | ✅ | ✅ |
| Edit agents | ❌ | ✅ | ✅ | ✅ |
| Delete agents | ❌ | ✅ | ✅ | ✅ |
| Enable/disable agents | ❌ | ✅ | ✅ | ✅ |
| View settings | ✅ | ✅ | ✅ | ✅ |
| Add/edit models | ❌ | ✅ | ✅ | ✅ |
| Add/edit MCP servers | ❌ | ✅ | ✅ | ✅ |
| Add/edit embeddings | ❌ | ✅ | ✅ | ✅ |
| Add/edit sentinels | ❌ | ✅ | ✅ | ✅ |
| Publish workspace | ❌ | ✅ | ✅ | ✅ |
| Manage workspace members | ❌ | ❌ | ✅ | ✅ |
| Create/delete workspaces | ❌ | ❌ | ✅ | ✅ |
| Platform-wide administration | ❌ | ❌ | ❌ | ✅ |
Assigning roles
If you’re using Keycloak, roles are assigned there:- Log in to the Keycloak admin console
- Navigate to your realm → Users
- Select the user → Role mappings
- Assign the appropriate role from the client roles list
If a UI element is greyed out or a feature is missing from your view, your role doesn’t have permission for that action. Contact your platform administrator to request elevated access.