> ## Documentation Index
> Fetch the complete documentation index at: https://docs.relayhub.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles & Permissions

> Understand user roles and feature-level permissions

RelayHub uses a two-tier access model: **roles** define broad access level, and **permission flags** control access to specific features.

## Roles

Every user has exactly one role.

<Tabs>
  <Tab title="Admin">
    Admins have unrestricted access to the entire platform, including:

    * **User Hub** -- manage all users, roles, and permissions
    * **Provider Hub** -- configure API keys and custom LLM endpoints
    * **Billing** -- manage subscription, seats, and payment methods
    * **Settings** -- MFA enforcement, App Hub, Team Hub
    * **All chat and workspace features** -- no restrictions

    Admins automatically have all permission flags enabled regardless of their individual flag settings.
  </Tab>

  <Tab title="Member">
    Members have access to core platform features:

    * **Chat** -- standard and dual chat
    * **Workspaces** -- create and participate in shared workspaces
    * **File Hub** -- upload and manage files
    * **Dashboard** -- personal activity overview

    Access to additional features (Knowledge Hub, Automation Hub, etc.) is controlled by permission flags set by an Admin.
  </Tab>
</Tabs>

## Permission Flags

Permission flags give Admins fine-grained control over what each Member can access. These flags have no effect on Admin users since Admins always have full access.

| Flag                               | Controls Access To                                              | Default |
| ---------------------------------- | --------------------------------------------------------------- | ------- |
| `can_access_automation_hub`        | Automation Hub -- view, create, and manage automation workflows | Off     |
| `can_view_knowledge_hub`           | Knowledge Hub -- browse company knowledge, search documents     | Off     |
| `can_contribute_company_knowledge` | Upload documents and add content to the company knowledge base  | Off     |
| `can_delete_knowledge_entities`    | Remove documents and entities from the Knowledge Hub            | Off     |

<Note>
  Permission flags are independent of each other. For example, a user can have `can_view_knowledge_hub` enabled without `can_contribute_company_knowledge` -- they can browse but not add content.
</Note>

## Common Permission Configurations

Here are typical setups for different team roles:

<Cards>
  <Card title="Standard Team Member" icon="user">
    Role: **Member**

    * Knowledge Hub Viewer: On
    * Knowledge Contributor: Off
    * Knowledge Deleter: Off
    * Automation Hub: Off
  </Card>

  <Card title="Knowledge Manager" icon="book">
    Role: **Member**

    * Knowledge Hub Viewer: On
    * Knowledge Contributor: On
    * Knowledge Deleter: On
    * Automation Hub: Off
  </Card>

  <Card title="Power User" icon="bolt">
    Role: **Member**

    * Knowledge Hub Viewer: On
    * Knowledge Contributor: On
    * Knowledge Deleter: Off
    * Automation Hub: On
  </Card>
</Cards>

## Changing Permissions

<Steps>
  <Step title="Go to User Hub">
    Open the **User Hub** from the sidebar (Admin only).
  </Step>

  <Step title="Select the user">
    Click on the user whose permissions you want to change.
  </Step>

  <Step title="Toggle permission flags">
    Enable or disable individual permission flags using the toggle switches in the permissions section.
  </Step>

  <Step title="Save">
    Click **Save**. Permission changes take effect immediately without requiring the user to log out.
  </Step>
</Steps>

<Tip>
  When [inviting new members](/administration/user-management/inviting-members), you can pre-configure permission flags so they have the right access from their first login.
</Tip>

<Warning>
  Removing `can_view_knowledge_hub` from a user who actively uses the Knowledge Hub will immediately hide it from their sidebar. Any knowledge searches they had bookmarked will return a permission error.
</Warning>
