This guide explains how SecureAI's role-based access control works, what each role can do, how to assign and change roles, and how to restrict specific features for users across your organization.
Role Overview
SecureAI uses a role-based access control (RBAC) model. Every user is assigned exactly one role, which determines what they can see and do in the platform. Roles are assigned at the time of invitation and can be changed at any time by an admin.
SecureAI provides three built-in roles:
| Role | Intended For | Summary |
|---|---|---|
| User | General employees | Chat with AI models, upload documents, use tools and assistants. No access to admin functions. |
| Pending | Newly registered users | Limited access until an admin approves their account. Cannot start conversations or access the knowledge base. |
| Admin | IT administrators, platform managers | Full access to all features plus the Admin Panel for managing users, models, settings, and security. |
Pending Role
When a user registers through the sign-up page (rather than being invited by an admin), they are assigned the Pending role by default. Pending users can log in but cannot use the platform until an admin reviews and approves their account.
To approve a pending user:
- Navigate to Admin Panel > Users.
- Filter by Role: Pending to see users awaiting approval.
- Click the user's name.
- Change their role to User (or Admin if appropriate).
- Click Save.
The user receives a notification that their account has been approved and can begin using SecureAI immediately.
To disable open registration entirely, see Restricting Self-Registration below.
Permission Matrix
The table below shows exactly which actions each role can perform.
Conversations and AI
| Permission | Pending | User | Admin |
|---|---|---|---|
| Start new conversations | No | Yes | Yes |
| Continue existing conversations | No | Yes | Yes |
| Use all available models | No | Yes | Yes |
| Switch models mid-conversation | No | Yes | Yes |
| Share conversations with other users | No | Yes | Yes |
| Delete own conversations | No | Yes | Yes |
| View other users' conversations | No | No | No |
| View conversation metadata in analytics | No | No | Yes |
Knowledge Base and Documents
| Permission | Pending | User | Admin |
|---|---|---|---|
| Search the knowledge base | No | Yes | Yes |
| Upload documents to personal workspace | No | Yes | Yes |
| Upload documents to shared knowledge base | No | Configurable | Yes |
| Delete own uploaded documents | No | Yes | Yes |
| Delete any user's uploaded documents | No | No | Yes |
| Manage knowledge base collections | No | No | Yes |
Tools and Assistants
| Permission | Pending | User | Admin |
|---|---|---|---|
| Use assigned tools | No | Yes | Yes |
| Use assigned assistants | No | Yes | Yes |
| Create personal assistants | No | Yes | Yes |
| Publish assistants to organization | No | Configurable | Yes |
| Create and manage tools | No | No | Yes |
| Manage tool integrations (valves) | No | No | Yes |
Administration
| Permission | Pending | User | Admin |
|---|---|---|---|
| Access Admin Panel | No | No | Yes |
| Invite and manage users | No | No | Yes |
| Change user roles | No | No | Yes |
| Configure models and providers | No | No | Yes |
| Manage SSO settings | No | No | Yes |
| Configure content filtering | No | No | Yes |
| View analytics and usage reports | No | No | Yes |
| Manage data retention policies | No | No | Yes |
| Configure IP allowlisting | No | No | Yes |
| Export audit logs | No | No | Yes |
Account Self-Management
| Permission | Pending | User | Admin |
|---|---|---|---|
| Update own profile (name, avatar) | Yes | Yes | Yes |
| Change own password | Yes | Yes | Yes |
| Manage own API keys | No | Yes | Yes |
| View own usage statistics | No | Yes | Yes |
Assigning Roles
During Invitation
When you invite a new user, you select their role as part of the invitation process:
- Navigate to Admin Panel > Users.
- Click Add User.
- Enter the user's email and name.
- Select Role: choose
UserorAdmin. - Click Send Invitation.
For bulk imports via CSV, specify the role in the role column for each row. See How to Bulk Import Users for details.
Changing an Existing User's Role
- Navigate to Admin Panel > Users.
- Click the user's name to open their profile.
- Under Role, select the new role.
- Click Save.
Role changes take effect immediately:
- Promoting User to Admin: The user sees the Admin Panel link on their next page load. No logout required.
- Demoting Admin to User: The user loses Admin Panel access immediately. If they have the Admin Panel open, they are redirected to the main chat interface.
- Approving a Pending user: The user gains full access to conversations, knowledge base, and tools.
Bulk Role Changes
To change roles for multiple users at once:
- Navigate to Admin Panel > Users.
- Select the checkboxes next to the users you want to update.
- Click Bulk Actions > Change Role.
- Select the target role.
- Confirm the change.
This is useful when onboarding a department or adjusting access for an entire team.
Restricting Features
Beyond the built-in role permissions, admins can further restrict what users can do through feature-level settings.
Model Access Restrictions
Control which models are available to users:
- Navigate to Admin Panel > Settings > Models.
- Each model has a Visibility setting:
- All users — any user can select this model.
- Admins only — only admins can use this model (useful for expensive models or models still being evaluated).
- Toggle visibility per model as needed.
When a model is restricted to admins only, it does not appear in the model selector for standard users.
Knowledge Base Upload Restrictions
Control whether standard users can upload documents to the shared knowledge base:
- Navigate to Admin Panel > Settings > Knowledge Base.
- Under Shared uploads, choose:
- Allow all users — any user can upload to shared collections.
- Admins only — only admins can add documents to shared collections. Users can still upload to their personal workspace.
This is useful for organizations that want to curate the shared knowledge base and prevent unvetted documents from being used as context.
Assistant Publishing Restrictions
Control whether users can publish assistants for the whole organization:
- Navigate to Admin Panel > Settings > Assistants.
- Under Publishing, choose:
- Allow all users — any user can publish assistants to the organization directory.
- Admins only — only admins can publish. Users can still create personal assistants.
Chat Feature Restrictions
Admins can toggle specific chat features on or off for all non-admin users:
- Navigate to Admin Panel > Settings > Interface.
- Available toggles:
- Web search — allow users to enable web search in conversations.
- Image generation — allow users to request image generation.
- Code execution — allow users to run code in sandboxed environments.
- File uploads in chat — allow users to attach files to messages.
Disabled features are hidden from the interface entirely -- users do not see grayed-out buttons, the feature simply does not appear.
Restricting Self-Registration
By default, anyone with access to your SecureAI instance URL can register an account (assigned the Pending role). To restrict this:
- Navigate to Admin Panel > Settings > Authentication.
- Under Registration, choose:
- Open (with approval) — anyone can register, but they remain Pending until an admin approves. This is the default.
- Invite only — the registration page is disabled. Only users invited by an admin can create accounts.
- SSO only — users can only access the platform through your configured identity provider. The registration page and password login are both disabled.
For SSO configuration, see Configuring SAML SSO or Configure OIDC SSO.
Best Practices
Principle of Least Privilege
Assign the minimum role needed for each user's job function. Most users in your organization should have the User role. Reserve Admin for people who genuinely need to manage the platform -- typically 2-5 people in a standard deployment.
Audit Role Assignments Regularly
Review your user list periodically to ensure roles are still appropriate:
- Former admins who changed roles or left the team should be demoted or deactivated.
- Pending users should be approved or removed promptly -- a backlog of pending accounts can indicate the registration page is attracting unwanted signups.
Use Admin Panel > Analytics > Users to see a breakdown of users by role and activity level.
Document Your Access Policy
Establish clear criteria for when someone qualifies for Admin access. Common policies include:
- Only IT staff can be admins.
- Department leads can be admins if they manage model configuration for their team.
- Admin access requires manager approval.
Documenting this makes it easier to stay consistent as your organization grows.
Use Feature Restrictions to Complement Roles
Roles define broad access levels, but feature restrictions let you fine-tune the experience. For example:
- Cost control: Restrict expensive models to admins while evaluating them, then open to all users once budgets are approved.
- Data governance: Restrict shared knowledge base uploads to admins to ensure only vetted documents are used as AI context.
- Phased rollout: Disable new features (like code execution) for standard users until your team is comfortable with the safety controls.
Troubleshooting
| Problem | Solution |
|---|---|
| User cannot see a model in the model selector | Check the model's visibility setting in Admin Panel > Settings > Models. It may be set to "Admins only." |
| User stuck in Pending status | An admin must manually approve them by changing their role. Navigate to Admin Panel > Users, filter by Pending, and change the role to User. |
| Cannot demote yourself from Admin | SecureAI requires at least one admin. Promote another user to Admin first, then change your own role. |
| User can still access Admin Panel after demotion | Ask the user to refresh their browser. The role change is immediate server-side, but cached UI state may persist until the next page load. |
| Feature toggle not taking effect | Feature restriction changes apply on the user's next page load. Active sessions may need a browser refresh to reflect the change. |
| Registration page still accessible after switching to invite-only | Clear your CDN or reverse proxy cache. The setting takes effect on the server immediately, but cached pages may still show the registration form. |
Next Steps
- User Management Guide -- add, deactivate, and manage user accounts.
- How to Bulk Import Users -- onboard many users at once with role assignment via CSV.
- How to Audit User Activity -- review who did what and when.
- Content Filtering and Safety Settings -- control AI output for your organization.
- Configuring SAML SSO or Configure OIDC SSO -- centralize authentication.