> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wisdom.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# RBAC for Users
Embedded users inherit WisdomAI's role-based access control (RBAC) system. The role you assign when provisioning a user controls what they can see and do inside the embedded interface. There is no separate embed-specific permission layer.
Custom roles are not yet supported. You must use one of the built-in roles listed below.
## How roles affect embedded views
Visibility of edit controls, dashboard creation buttons, and AI workstreams is determined by the user's role assignment. To **hide edit controls in an embedded dashboard**, assign the user the **Viewer** role. This role is pure read-only and cannot create or modify any resources.
For a full breakdown of what each role can access, see [Roles & permission reference](#roles-&-permission-reference) below.
## Assigning a role at provisioning time
Pass the specific `roleId` in the `roleAssignments` array when calling `createUsers`. Role IDs are unique UUIDs.
```bash theme={null}
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer " \
-d '{
"query": "mutation CreateUsers($input: CreateUsersInput!) { createUsers(input: $input) { status { code message } } }",
"variables": {
"input": {
"emails": ["alice@yourcompany.com"],
"workspaceID": "workspace_123",
"roleAssignments": [
{
"roleId": "00000000-0000-0000-0000-000000000003",
"scopes": ["domain_456"]
}
]
}
}
}' \
https://{ACCOUNT}.wisdom.ai/graphql
```
## Role IDs
Role IDs are passed in the `roleAssignments` field when provisioning or updating users.
| Role | ID |
| ---------------- | -------------------------------------- |
| `ADMIN` | `00000000-0000-0000-0000-000000000001` |
| `DATA_ADMIN` | `00000000-0000-0000-0000-000000000004` |
| `EXPLORER` | `00000000-0000-0000-0000-000000000002` |
| `BASIC_EXPLORER` | `00000000-0000-0000-0000-000000000015` |
| `VIEWER` | `00000000-0000-0000-0000-000000000003` |
| `OBSERVER` | `00000000-0000-0000-0000-000000000007` |
Role IDs are used in the `roleAssignments` field of the following mutations:
* [`createUsers`](/integrations/graphql-api/mutations/user/create-users) — assign a role when provisioning a new embedded user
* [`setUserAttributes`](/integrations/graphql-api/mutations/user/set-user-attributes) — update the role of an existing embedded user
* [`addScopeRoleAssignmentsForSharing`](/integrations/graphql-api/mutations/dashboard/add-scope-role-assignments-for-sharing) — grant a scoped role on a specific dashboard
* [`removeScopeRoleAssignmentsForSharing`](/integrations/graphql-api/mutations/dashboard/remove-scope-role-assignments-for-sharing) — remove a scoped role from a specific dashboard
## Roles & permission reference
The tables below show the full permission breakdown across all roles and resource types. Use these as a reference when deciding which role to assign for a given use case. For a description of what each role can do, see [Access Management](/manage-account/access-management).
In the API, **Story** refers to **Dashboards**. Roles labeled **Writer** grant edit access to existing resources but do not grant permission to create new ones.
| Permission | AD | DA | EX | BE | VI | OB |
| ------------------------ | :-: | :-: | :-: | :-: | :-: | :-: |
| `chat:create` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `chat:execute-sql` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `chat:edit-sql` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `chat:expand-workstream` | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| `chat:read-all` | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Permission | AD | DA | EX | BE | VI | OB |
| ------------------ | :-: | :-: | :-: | :-: | :-: | :-: |
| `dashboard:create` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `dashboard:clone` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| `dashboard:read` | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ |
| `dashboard:write` | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Users can always view, edit, and clone dashboards they created themselves or that have been shared with them.
| Permission | AD | DA | EX | BE | VI | OB |
| ----------------- | :-: | :-: | :-: | :-: | :-: | :-: |
| `schedule:create` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| `schedule:read` | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ |
| `schedule:write` | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Users can always view and edit schedules they created themselves or that have been shared with them.
| Permission | AD | DA | EX | BE | VI | OB |
| ------------- | :-: | :-: | :-: | :-: | :-: | :-: |
| `agent:read` | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| `agent:write` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Users can always view and edit agents they created themselves or that have been shared with them.
| Permission | AD | DA | EX | BE | VI | OB |
| -------------------- | :-: | :-: | :-: | :-: | :-: | :-: |
| `connection:create` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| `connection:read` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| `connection:write` | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| `connection:delete` | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| `connection:refresh` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| `connection:list` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Permission | AD | DA | EX | BE | VI | OB |
| --------------- | :-: | :-: | :-: | :-: | :-: | :-: |
| `domain:create` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| `domain:list` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| `domain:invite` | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Permission | AD | DA | EX | BE | VI | OB |
| ----------------- | :-: | :-: | :-: | :-: | :-: | :-: |
| `iam:read` | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| `iam:write` | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| `iam:delete` | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| `iam-scope:write` | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Permission | AD | DA | EX | BE | VI | OB |
| ------------------ | :-: | :-: | :-: | :-: | :-: | :-: |
| `workspace:read` | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ |
| `workspace:write` | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| `workspace:create` | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| `workspace:delete` | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
The table below describes what each API permission flag controls.
| API permission | Feature |
| ------------------------ | ----------------------------- |
| `chat:create` | Ask questions |
| `chat:execute-sql` | Run SQL |
| `chat:edit-sql` | Edit SQL |
| `chat:expand-workstream` | AI workstream |
| `chat:read-all` | View chat log |
| `dashboard:create` | Create dashboards |
| `dashboard:read` | View dashboards |
| `dashboard:write` | Edit dashboards |
| `dashboard:clone` | Clone dashboards |
| `schedule:create` | Create schedules |
| `schedule:read` | View schedules |
| `schedule:write` | Edit schedules |
| `agent:read` | View agents |
| `agent:write` | Edit agents |
| `connection:create` | Create connections |
| `connection:read` | View connections |
| `connection:write` | Edit connection configuration |
| `connection:delete` | Delete connections |
| `connection:refresh` | Refresh metadata |
| `connection:list` | List connections |
| `domain:create` | Create domains |
| `domain:list` | List domains |
| `domain:invite` | Invite users to a domain |
| `iam:read` | View users and roles |
| `iam:write` | Manage users and roles |
| `iam:delete` | Remove users and roles |
| `iam-scope:write` | Assign scoped roles |
| `workspace:read` | View workspace |
| `workspace:write` | Edit workspace |
## Related articles
Provision embedded users with role assignments
Use roles to control edit access in embedded dashboards