Project roles
project_viewer
Read workflows, runs, analytics, Autopilot chat, and work items. Cannot edit graphs, manage connections, or start runs.
project_contributor
Full builder access: create and edit workflows, run and control runs, manage connections and MCP instances, view billing usage.
project_admin
Everything contributors can do, plus project member management and project-level configuration.
What each role can access
| Capability | project_viewer | project_contributor | project_admin |
|---|---|---|---|
| View workflows and runs | ✓ | ✓ | ✓ |
| Edit and publish workflows | ✓ | ✓ | |
| Start, pause, stop runs | ✓ | ✓ | |
| Complete human tasks | ✓ | ✓ | |
| Manage connections and MCP | ✓ | ✓ | |
| Configure LLM providers | ✓ | ✓ | |
| View analytics and usage | ✓ | ✓ | ✓ |
| Change billing plan | ✓ (tenant admin) | ||
| Manage project members | ✓ |
Some API endpoints also require PAT scopes (for example,
workflow:run or mcp:execute) in addition to the project role. See API authentication.Tenant roles
tenant_admin has full workspace access: all projects, billing, member invites, vault, domain verification, and workspace settings. Assign tenant admin sparingly. Members without tenant admin still participate in projects through their project roles.Assigning project roles
- Open Settings → Members or the project’s member list
- Find the member and select a project role
- Save changes
API and PAT scopes
When calling the API with a personal access token, both the user’s project role and the token’s scopes must allow the operation:| Scope | Allows |
|---|---|
workflow:read | List and get workflows, runs, and events |
workflow:run | Start, pause, resume, and stop runs |
mcp:execute | Invoke MCP tools during workflow execution |