Skip to content

Role Management

GALE’s Role Management feature in the Settings console helps implement Role-based Access Control (RBAC) for both account and agent features on the platform. Thus, the roles can be classified based on role types. Learn more.

Key Points

  1. Master Admin Role

    • When you create an account, you automatically become the account owner and are assigned the Master Admin role. Learn more.

    • As the Master Admin, you have the highest level of access, allowing you to create, modify, and delete permissions for custom roles and manage users in your account.

  2. Assigning Roles

    • Once a user joins your account, assign them a role based on their responsibilities and job functions. By default, the Viewer role is assigned to new users joining your account, providing the minimum level of account access required. Learn more. This role can be changed later in the Settings console. Learn more.
  3. Default and Custom Roles

    • Each role comes with specific permissions and access levels to determine what features the user can access, modify, or manage. Learn more.

    GALE supports the following roles in the Settings console:

    • Default Role: A system-generated role with internally defined set of permissions and access levels. Learn more.

    • Custom Role: Allows you to customize permissions and access levels for your users. Learn more.

  4. Role Management Benefits

    • Enables better control over user actions in your account.
    • Facilitates updating roles when job functions or responsibilities change.
    • Ensures prompt revocation of access when a user leaves the organization or no longer requires access.

Account and Agent Level Features

The features for which permissions and access levels are defined for a role include the following:

Account Level

  • Agents
  • Models
  • Playground and Experiments
  • Settings including Integrations, User Management, Security and Control, Monitoring, Guardrails, and Billing.

Agent Level

  • Create an agent version
  • Share/unshare agents/assign agent roles
  • Delete agent
  • Export Agent
  • Monitor Trace of an Agent
  • Edit Agent Workflow
  • Manage Agent Configuration
  • Manage deployment - deploy/undeploy
  • Manage guardrails configuration
  • Create/Delete an API key
  • Monitor Audit logs

To learn more about permissions and access levels around features, click here.

Access to account or agent-level permissions can either be disabled (no access) or enabled with Full, Custom, or View privileges. Learn more.

Roles

A Role groups users according to their job functions, streamlining permission management.

Example

A Master Admin has complete control over the account's core functionalities such as models, agents, integrations, users, etc.

An Agent Admin has complete control over the core functionalities of agents, such as deployment, configuration, sharing, deletion, monitoring, etc.

GALE supports the following roles:

System-defined Roles

Also called Default roles, these are inbuilt n the system at the account and agent levels defined in the system. The scopes, permissions, and access levels for these roles are preset based on what users commonly require and cannot be modified in the application. Also, system roles cannot be deleted.

To modify a user's scope and permissions, you must add a custom account/agent-type role. Learn more.

System-defined, system-generated, or default roles provide baseline control over the core features and functionalities and streamline the user management process for administrators.

For example, The Admin role typically has full access to all agent/account features and functionalities within the system. Administrators have the highest privileges and can manage other users, configure settings, and perform administrative tasks.

The following table summarizes the scope for different system roles supported for Account and Agent type:

Account
Role Description
Master Admin Users have complete control over agent and model management, user administration, integrations, security settings, and access to all core features and functionalities.
Admin Users have access to all the permissions except model deletion, billing, and Kore connector.
Member Users can create agents, add external models, and modify only S3 integration.
Viewer Users can only view the modules across the platform.
Agent
Role Description
Agent Admin Users have complete control over agent management, versioning, sharing, deployment, deletion, configuration, monitoring, and API key creation.
Agent Manager Users have access to all the permissions except for agent deletion.
Agent Editor Users can create new versions and deploy, monitor, and export agents.
Agent Viewer Users can only view the node details and generate output in the agent.

Custom Roles

The admin can add these roles at the account/agent level. The scopes, permissions, and access levels can be custom-configured. Custom user roles allow for more fine-grained control over what actions different users can perform for at the account and agent levels.

Organizations can tailor access levels to their specific needs and organizational structure. This customization helps assign only the required permissions to specific users and improve security through role-based access.

For example, a custom role, “Banking Agent Conversation Moderator,” can be customized for full access to agent guardrail configuration permission and no access to create and deploy an agent.

Key Considerations

  • After creating a custom role, it will appear in the dropdown menu of the email invitation template. You can then select and assign this role to the user you invite to your account. custom role listing

  • You cannot delete a custom role if it is currently assigned to active users or included in an email invitation. The system displays an error message, as shown in the screenshot below. error custom role deletion

To proceed, you must first unassign the role or assign an alternative role to these users, and then you can delete the custom role.

Permissions

A Permission is a specific action or a set of actions the user can perform for the assigned role on either agent or account types. Examples include creating an agent, adding an external model, adding a user, and assigning a role.

Access Levels

The Settings console supports two types of access: “Yes” indicates the user role has access to a module’s permission, and “No” means the user has no access. When the system/custom user role has access, the extent/level of access at the account or agent level is defined by the following presets:

  • View: The user can view the account and agent level but cannot edit or delete it.
  • Custom: The user can view, add, and edit account and agent data but not delete it.
  • Full: The user can view, add, edit, and delete account and agent data.
  • No Access: The user cannot access the feature.

Learn more about Module-wise permissions and access levels.

Role Types

A Role Type defines the module-wise scope and access level for the defined permissions and associated actions.

The following Role Types are defined on GALE:

  • Account: Users invited to the account must be assigned an Account role (default or custom). The role type manages access to features at the account level like models, agents, other users, integrations, and security permissions.
  • Agent: When a user is invited to an agent, they receive an Agent role. The role type manages access to features at the agent level like agent creation, deployment, versioning, deletion, monitoring, API integration, experimentation, export, etc.

A user can have an Account role within the account and one or more Agent roles within different agents. Agent roles are determined at the agent level, and you can assign these roles to users who are invited to your agent.

Module-wise Permissions and Access Levels

The following table summarizes the module-wise permissions and access levels for default admin, and agent roles.

Module Permission Default Admin Role
Master Admin Admin Member Viewer
Access Level
Agents

Create an Agent Yes

Yes

Yes

No
Models Access to Model (“View” is the default access for a custom role) Full Custom Custom View
Add an external model Yes Yes Yes No
Create a custom model and perform fine tuning Yes Yes No No
Add opensource model Yes Yes No No
Manage Deployment - deploy/undeploy/redeploy Yes Yes No No
Create or Delete an API Key for a model Yes Yes No No
Export Model Yes Yes No No
Delete Model Yes No No No
Model Configuration Yes Yes No No
Playground and Experiments Access to Playground Yes Yes Yes Yes
Create an Experiment

Yes Yes Yes No
Access to Settings (Only if the settings permission is 'Yes' the user will see all the permissions) Full Custom Custom No Access
Access to guardrails at the account level Yes Yes Yes Yes
Deploy/ Undeploy a guardrail (for all agents) Yes Yes Yes No
Access to Integrations (“Full” is the default access) Full Full Custom View
Integrations Weights & Biases Yes Yes Yes No
Hugging Face Yes Yes Yes No
AWS S3 Bucket Yes Yes No No
SearchAssist Yes Yes No No
Users Management Access Full Full No access No access
Invite User (via email or import) Yes Yes No No
Bulk Import Users via files Yes Yes No No
Assign/revoke system roles to users & manage profile and status Yes Yes No No
Groups Yes Yes No No
Enrolment Yes Yes No No
Directory Sync to enroll users Yes Yes No No
Manage Agent Roles (Create and edit Custom roles), assign/revoke users Yes Yes No No
Manage Admin Roles (Create and edit Custom roles), assign/revoke users Yes Yes No No
Remove Users Yes Yes No No
Preferences Yes Yes No No
Manage User Settings (profile fields): Users with the permissions to manage user settings can bulk change permissions. Yes Yes No No
Security and Control Settings View and update the Security and Control Settings for your account Yes Yes No No

Monitoring Yes Yes No No

Billing: Plans, invoice, subscribe & unsubscribe, token usage Yes No No No
Agent Management Yes Yes No No
Guardrails Access to guardrails at the account level Yes Yes Yes Yes
Deploy/ Undeploy a guardrail (for all agents) Yes Yes Yes No
Other Permissions Approve & publish agent deployment requests Yes Yes No No
Configure and manage Single Sign On Yes No No No
Initiate, enable & disable Kore.ai connector Yes Yes No No
API Scopes for users, roles, and agents in your account. Yes Yes No No
Manage Apps and Model Deployment requests approvals and publishing Yes Yes No No
Allow users to integrate Yes Yes No No
Monitor agents and models on the GALE level Yes Yes No No
Module Permission Default Agent Role
Agent Admin Agent Manager Agent Editor Agent Viewer
Access Level
Agents Access to Agent (“Custom” is the default access for a custom role) Full Custom Custom View
Create an Agent Version Yes Yes Yes No
Share Agents/ Unshare Agents/ Assign Agent Roles/ Remove users Yes Yes No No
Delete Agent Yes No No No
Export Agent Yes Yes Yes No
Monitoring Trace of an Agent Yes Yes Yes Yes
Editing Agent Workflow Yes Yes Yes No
Agent configurations Yes Yes Yes No
Create/Delete an API Key Yes Yes No No
Deployment Manage Deployment - deploy/undeploy/redeploy Yes Yes Yes No
Guardrails Manage Guardrails Configuration Yes Yes Yes No
Monitoring Audit Log Yes Yes No No

Role Management Dashboard

The Role Management Dashboard on the Settings console displays key information.

To access the dashboard, follow the steps below:

  1. Log in to GALE and click Settings on the top menu.
  2. Click Users Management > Role Management on the left menu. access role management

The Role Management dashboard displays the following:

  1. The summary of counts for the following:

    • Total Roles: The total count of system and custom roles in the system.
    • System Roles: The count of the predefined, system-generated user roles.
    • Custom Roles: The count of the user roles created and configured by the system admin. summary of counts
  2. A Table view of the following system and custom role details:

    • Role: The name of the system-generated role or the custom role you have created.
    • Role Type: The role type defines its scope, including Account or Agent.
    • Description: This is the description of the role. System roles are predefined, while you must provide custom role descriptions. Hover over the description text to view the entire description.
    • Created by: For system-generated roles, System is displayed. For custom roles, the name of the user who created the role is displayed, as shown in the image below. This user can be the account owner or another user in the admin’s account. custom and system roles

    • Last Updated On: The local time and date when the custom role was last updated are displayed. This information does not appear for system roles, as they cannot be modified.

Search a Role

To look up a system or custom role, follow the steps below:

  1. Navigate to the Role Management dashboard.
  2. Click the Search text field.
  3. Enter the role you want to search for. All the matching results are displayed. search role

If no results are found, the following message is displayed. no results found

Manage System Roles

You can perform the following actions on the system-generated roles.

Important

System roles cannot be created, modified, or deleted since the role and its permissions are predefined in the system. However, they can be duplicated as Custom Roles and modified.

View Role Information

To view the details of a system-defined role, follow the steps below.

  1. Navigate to the Role Management dashboard,
  2. Click the Ellipses icon for a system role.
  3. Select View. select view

The following information is displayed:

  • Role Title along with Role Type.
  • Summary information on the role.
  • Role Name
  • Role Description
  • Role Type
  • Configuration panel to enable/disable access and set access levels for the listed permissions at the agent/account level. Click here to see the module-wise permissions and access levels for different roles. module-wise permissions

Duplicate System Role

If you want to add a custom role by copying the scope and permissions of a system role, you can use the Duplicate functionality. This feature automatically duplicates the system role, copying its name, role type, and permission/access configurations, and creates it as a custom role. You can then modify, delete, or duplicate this custom role to create multiple copies and add module-wise permissions/access for each.

Note

  • The changes you make to the duplicate role do not apply to the original system role.
  • The Last Updated On value is displayed for duplicate roles and shows the date and time when the duplicate was created.

Steps to Create a Duplicate Role

To duplicate a system role, follow the steps below:

  1. Navigate to the Role Management dashboard.
  2. Click the Ellipses icon for a system role.
  3. Select Duplicate. select duplicate

The duplicate custom role displays the system role name followed by a suffix “copy,” as shown below. You can edit the name if required. duplicate role

Manage Custom Roles

Custom roles can be edited, deleted, or duplicated on the Settings console. They help customize a set of permissions and set access levels according to enterprise's requirements.

Add a Role

To add a custom role, follow the steps below:

  1. Navigate to Role Management on the Settings console.
  2. Click Add New Role. add new role

  3. Follow the steps below in the New Role window:

    • Enter Role Name & Role Description. enter role name and description
    • Select the Role Type from the dropdown. select role type
    • Follow the steps below if you select Role Type as Account.

      • Enable/select the access level for module-wise permissions in the Enable/Disable agent access section. Learn more about module-wise permissions and access levels you can configure for a custom role.
      • Select the checkbox to enable the permissions (set to Yes) or unselect to disable (set to No) for the following:

      • Create Agents

      • Models
      • Playground and Experiments
      • Integrations
      • User Management
      • Security and Control Settings
      • Manage Guardrail Models
      • Billing enable permissions
    • Select the access level for Models, Settings, Integrations, and User Management from the following options:

      • Full: The users can access all the module permissions (view & edit).
      • Custom: The users can select only the required permissions for the module to customize the role.
      • View: The users can only view the configured module permissions.
      • No Access: The user cannot view/customize the module permissions. select access for modules

Important Considerations

  • First, select the access level for Models to enable its permissions. set models access

    Missing this step automatically disables the permissions.

  • Selecting Full automatically selects all the module permissions. full auto select

  • Selecting Custom allows you to enable only the required module permissions. select custom access

  • Selecting View and No Access disables permissions selection. select view and no access

  • Selecting Full for Settings automatically sets the access levels of Integrations and User Management to Full. select full access

Additionally, it automatically enables all the permissions for the following modules:

  • Integrations (View is always enabled by default as it is the minimum required permission).
  • User Management
  • Security and Control Settings
  • Manage Guardrail Models
  • Billing full access
  • Selecting No Access for Settings automatically sets the access levels of Integrations to View and User Management to No Access. no access

Additionally, it disables all the permissions for the following modules:

  • Integrations (The View permission is always enabled by default).
  • User Management
  • Security and Control Settings
  • Manage Guardrail Models
  • Billing

disable permissions

Selecting Custom for Settings automatically sets the Integrations and User Management access levels to Custom. select custom

You can enable the required permissions for the following modules:

  • Integrations
  • User Management
  • Security and Control Settings
  • Manage Guardrail Models
  • Billing

enable access level

You can change Custom to Full or View for Integrations and Full or No Access for User Management. change access level

If you select Role Type as Agent, follow the steps below:

  • Select Custom, View, or Full for Access. Learn more.

View is the default selection. access options

  • Set up the agent permissions as follows in the Enable/Disable agent access section:
  • If you select View for Access, permissions selection is automatically disabled. view access

  • If you select Full for Access, all the permissions are automatically enabled. full access

  • If you select Custom for Access, you can enable the required agent permissions and customize the role.
    custom access

  • Click Create.

The new custom role is created and listed on the Role Management dashboard.

list new custom role

Edit a Custom Role

You can modify the role name, description, and access levels for account type or agent type roles’ permissions on the Settings console.

Note

  • The system does not allow changing the Role Type once it is set. You must create a new custom role to assign a different role type.
  • When a custom role is updated, it changes the permissions for the assigned users.

To update a role, follow the steps below:

  1. Navigate to the Role Management dashboard on the Settings console.
  2. Click the Ellipses icon for the custom role you want to modify.
  3. Select Edit. edit role

  4. Edit the required values for the following In the Update Role window:

    • Role Name
    • Role Description

Reset the access levels for module-wise Permissions in the Enable/disable agent access section based on the role’s requirements.

Note

The Role Type field is disabled for editing.

role type disabled

  1. Click Update.
  2. update role window

A success message is displayed upon completing the role edit, and the updated role details appear on the dashboard.

role updated message

Delete a Custom Role

You can delete a custom role if you want to permanently remove it from the system and unassign it from users.

Note

You can only delete one role at a time. Bulk delete is not supported.

Prerequisite

Before you delete a role, ensure that the custom role is not assigned to any active users. If the role is assigned, do one of the following:

  • Reassign an alternative role to the active users. Learn more.

  • Remove Inactive users to whom this role is assigned.

To delete a role, follow the steps below:

  1. Navigate to the Role Management dashboard on the Settings console.
  2. Click the Ellipses icon for the custom role you want to delete.
  3. Select Delete. select delete role

  4. Click Confirm in the Delete Role confirmation window. confirm delete role

A success message is displayed, and the role is deleted from the Role Management dashboard.

Role Deletion Error and Workaround

The Settings console allows you to delete only unassigned roles. If a role is assigned to active/inactive users during deletion, the following error message is displayed. role deletion error

You must perform one of the following workarounds.

Reassign an Alternative Role to Active Users
  1. Navigate to Users Management > Users on the Settings Console.
  2. Click the Account Role entry for the user.
  3. Select the role you want to reassign. reassign role

Once you reassign the role for the user, go to the Role Management dashboard and delete the role using the steps mentioned here.

The role is deleted successfully from the Role Management dashboard and the count for custom roles is updated (decreased). custom role deleted

Delete Assigned Users

Navigate to the Users Management dashboard and follow the steps mentioned in the Delete Users section to delete all the assigned users individually or in bulk. Once the user is deleted, go to the Role Management dashboard and delete the required custom role.

Deleting the assigned users removes their association with the role you want to delete.

Duplicate a Custom Role

Like a system role, you can duplicate a custom role, which copies the name, role type, and configurations for permissions and access. Follow the steps mentioned here to complete the process for a custom role. duplicate custom role