Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.wisdom.ai/llms.txt

Use this file to discover all available pages before exploring further.

Embedded users inherit WisdomAI’s role-based access control (RBAC) system. The role you assign when provisioning a user controls what they can see and do inside the embedded interface. There is no separate embed-specific permission layer.
Custom roles are not yet supported. You must use one of the built-in roles listed below.

How roles affect embedded views

Visibility of edit controls, dashboard creation buttons, and AI workstreams is determined by the user’s role assignment. To hide edit controls in an embedded dashboard, assign the user the Viewer role. This role is pure read-only and cannot create or modify any resources.
For a full breakdown of what each role can access, see the Roles & Permission Reference below.

Assigning a role at provisioning time

Pass the specific roleId in the roleAssignments array when calling createUsers. Role IDs are unique UUIDs. 
curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <access_token>" \
  -d '{
    "query": "mutation CreateUsers($input: CreateUsersInput!) { createUsers(input: $input) { status { code message } } }",
    "variables": {
      "input": {
        "emails": ["alice@yourcompany.com"],
        "workspaceID": "workspace_123",
        "roleAssignments": [
          {
            "roleId": "00000000-0000-0000-0000-000000000003",
            "scopes": ["domain_456"]
          }
        ]
      }
    }
  }' \
  https://{ACCOUNT}.wisdom.ai/graphql

Role IDs

Role IDs are passed in the roleAssignments field when provisioning or updating users.
RoleID
ADMIN00000000-0000-0000-0000-000000000001
DATA_ADMIN00000000-0000-0000-0000-000000000004
EXPLORER00000000-0000-0000-0000-000000000002
BASIC_EXPLORER00000000-0000-0000-0000-000000000015
VIEWER00000000-0000-0000-0000-000000000003
OBSERVER00000000-0000-0000-0000-000000000007
Role IDs are used in the roleAssignments field of the following mutations:

Roles & permission reference

The tables below show the full permission breakdown across all roles and resource types. Use these as a reference when deciding which role to assign for a given use case.
In the API, Story refers to Dashboards. Roles labeled Writer grant edit access to existing resources but do not grant permission to create new ones.
RoleScopeDashboardsChat / Q&ASQL editingAI workstreamCreate resources
ADMINOrganizationCreate, Read, CloneCreateYesYesYes
DATA_ADMINDomainCreate, Read, CloneCreateYesYesYes
EXPLORERDomainCreate, Read (owned or assigned)CreateYesYesNo
BASIC_EXPLORERDomainCreate, Read (owned or assigned)CreateNoNoNo
VIEWEROrganizationRead onlyRead onlyNoNoNo
OBSERVEROrganizationNoNoNoNoNo
Column key: AD (Admin) · DA (Data Admin) · EX (Explorer) · BE (Basic Explorer) · VI (Viewer) · OB (Observer)
PermissionADDAEXBEVIOB
chat:create
chat:execute-sql
chat:edit-sql
chat:expand-workstream
chat:read-all
PermissionADDAEXBEVIOB
dashboard:create
dashboard:clone
dashboard:read
dashboard:write
Users can always view, edit, and clone dashboards they created themselves or that have been shared with them.
PermissionADDAEXBEVIOB
schedule:create
schedule:read
schedule:write
Users can always view and edit schedules they created themselves or that have been shared with them.
PermissionADDAEXBEVIOB
agent:read
agent:write
Users can always view and edit agents they created themselves or that have been shared with them.
PermissionADDAEXBEVIOB
connection:create
connection:read
connection:write
connection:delete
connection:refresh
connection:list
PermissionADDAEXBEVIOB
domain:create
domain:list
domain:invite
PermissionADDAEXBEVIOB
iam:read
iam:write
iam:delete
iam-scope:write
PermissionADDAEXBEVIOB
workspace:read
workspace:write
workspace:create
workspace:delete
The table below describes what each API permission flag controls.
API permissionFeature
chat:createAsk questions
chat:execute-sqlRun SQL
chat:edit-sqlEdit SQL
chat:expand-workstreamAI workstream
chat:read-allView chat log
dashboard:createCreate dashboards
dashboard:readView dashboards
dashboard:writeEdit dashboards
dashboard:cloneClone dashboards
schedule:createCreate schedules
schedule:readView schedules
schedule:writeEdit schedules
agent:readView agents
agent:writeEdit agents
connection:createCreate connections
connection:readView connections
connection:writeEdit connection configuration
connection:deleteDelete connections
connection:refreshRefresh metadata
connection:listList connections
domain:createCreate domains
domain:listList domains
domain:inviteInvite users to a domain
iam:readView users and roles
iam:writeManage users and roles
iam:deleteRemove users and roles
iam-scope:writeAssign scoped roles
workspace:readView workspace
workspace:writeEdit workspace

Create Users

Provision embedded users with role assignments

Embed a Dashboard

Use roles to control edit access in embedded dashboards