Studio uses role-based access control (RBAC). When using Keycloak, roles and groups are read from the JWT token at login — no additional configuration needed in Studio.
Roles
| Role | Scope | Description |
|---|
platform-admin | Platform-wide | Full access to everything. Can manage workspaces, users, and all platform settings. |
org-admin | Organization | Can manage workspace settings, agents, and workspace members within their organization. |
editor | Workspace | Can create, edit, and delete agents and workspace settings (models, MCP, embeddings, sentinels). |
viewer | Workspace | Read-only access. Can view agents and settings but cannot create, edit, or delete anything. |
Permissions matrix
| Action | viewer | editor | org-admin | platform-admin |
|---|
| View agents | ✅ | ✅ | ✅ | ✅ |
| Test agents (Try Me) | ✅ | ✅ | ✅ | ✅ |
| Create agents | ❌ | ✅ | ✅ | ✅ |
| Edit agents | ❌ | ✅ | ✅ | ✅ |
| Delete agents | ❌ | ✅ | ✅ | ✅ |
| Enable/disable agents | ❌ | ✅ | ✅ | ✅ |
| View settings | ✅ | ✅ | ✅ | ✅ |
| Add/edit models | ❌ | ✅ | ✅ | ✅ |
| Add/edit MCP servers | ❌ | ✅ | ✅ | ✅ |
| Add/edit embeddings | ❌ | ✅ | ✅ | ✅ |
| Add/edit sentinels | ❌ | ✅ | ✅ | ✅ |
| Publish workspace | ❌ | ✅ | ✅ | ✅ |
| Manage workspace members | ❌ | ❌ | ✅ | ✅ |
| Create/delete workspaces | ❌ | ❌ | ✅ | ✅ |
| Platform-wide administration | ❌ | ❌ | ❌ | ✅ |
Assigning roles
If you’re using Keycloak, roles are assigned there:
- Log in to the Keycloak admin console
- Navigate to your realm → Users
- Select the user → Role mappings
- Assign the appropriate role from the client roles list
If a UI element is greyed out or a feature is missing from your view, your role doesn’t have permission for that action. Contact your platform administrator to request elevated access.
Groups
In addition to roles, Keycloak groups (when enabled) are extracted from the JWT and available in the session. Groups can be used for workspace isolation and organizational scoping. Consult your platform administrator for your organization’s group structure. 
