Platform-side user permissions are used to manage adding and removing workspace members, and to control their functional and data permissions. Before reading this article, it is recommended to read Business, Workspace and Permission Overview to understand the relevant concepts.
Note:
Platform-side user permissions are an upgrade of the former “User Permission Management.” Existing permission points are retained, with expanded functional permissions and data permissions, which will be explained in detail below.
Feature Description
Platform-side user permissions are workspace-level functions, allowing each workspace to independently control permissions of its members. This feature includes three components: User Management, Role Management, and Permission Management.
User Management: Used to manage members of the current workspace. Supports adding enterprise users into the current workspace. Once added, they become workspace members, who can access the workspace.
Add User: Add existing enterprise users to the workspace, or create new users under the enterprise and then add them to the workspace.
Remove a user: After deletion, the user can no longer access the workspace.
Add Role: Assign a role to a user. The user then inherits the permissions of that role.
Note:
The main account does not appear in the workspace user list. However, it belongs to the “Super Administrator” role defined at the enterprise level and holds all enterprise-level and workspace-level permissions. See Enterprise Management for details.
Role management: A role represents a group of users. By creating roles and assigning users to them, you can group users, and then assign permissions to roles via "permission management".
Add/Edit Role: Add new roles, or modify role name and description.
Note:
Each workspace includes a preset "Administrator" role with full permissions. The creator of the workspace is assigned to this role by default.
The Administrator role cannot be deleted or edited, and its scope cannot be changed. You can only add or remove users from it.
Manage user: Add or remove users from a role. Only current workspace members can be added. Removed users will lose the permissions of that role.
Delete Role: Once deleted, users of that role lose the associated permissions. This action cannot be undone.
Permission management: Supports assigning permissions either per user or per role, with both functional permissions and data permissions.
Allocate by user: Select an individual user and assign functional and data permissions. Users newly added to a workspace automatically receive some default permissions (detailed in the “Functional Permissions” and “Data Permissions” sections below).
Note:
If a user is the preset Administrator, you cannot change their permissions via user-level assignment.
Assign by role: Select a role and assign functional and data permissions. The preset Administrator role is excluded.
Note:
If a user has both user-level and role-level permissions, the union of both applies.
Functional permissions: Functional permissions control available features within the workspace. Examples are shown below:
Level 1
Level 2
Level 3
Level 4
Default Users with Permissions
Agent Development Platform
App Dev
Create Application
-
Super Administrators, Administrators (workspace)
Users newly added to the workspace
When a user is added to a workspace for the first time, they automatically receive certain functional permissions in "Platform-Side User Permissions - Permission Management - Allocate by User".
Application List
-
Knowledge Base
Create knowledge base
-
Model Marketplace
Adding a Model
-
Deleting a Model
-
Plugin Marketplace
Creating a Plugin
-
mcp plug-in integration
-
Prompt Templates
Create Prompt Template
-
Application Templates
Copying
-
Experience Application
-
Clear conversation
-
atomic capability
-
-
Platform Management
Billing Resource List
pay-as-you-go resources
Super Administrators, Administrators (workspace)
Other members must be granted permissions by a Super Administrator or workspace Administrator.
concurrent resource
Knowledge Base Capacity
Postpaid settings
Billing Resource Usage Details
Model Usage Statistics
Concurrency Statistics
Knowledge Library Capacity Statistics
Plug-in usage statistics
Platform User Permissions
User Management
Role Management
Assign permissions
Deleting a workspace
-
-
Modifying a workspace
-
-
Data permissions: Data permissions control which data a workspace member can view or edit within the current workspace. Supported objects include applications, knowledge bases, plugins, and prompt templates.
Note:
By default, users always have edit permission for data they create themselves.Applies to data created on or after August 17, 2025. For earlier data, permissions are determined by the “Data Permissions” setting.
Users added to a workspace for the first time have view permission by default for data created by others in that workspace.
Data permissions apply only to data created by other users; for their own data, the default is always edit.
Permission
Permission Description
No permission
User cannot see the data. For example, if User 1 in Workspace A has no permission for “ds test application,” they cannot see it under Application Development.
viewable
User can view the data. For example, if User 1 has view permission for “ds test application,” they can open and test it in the dialogue interface but cannot edit.
editable
User can view and fully edit the data, including configuration, knowledge bases, workflows, etc.
Advanced Custom
User can enable/disable permissions for specific operations within the data. For example: Application A cannot be published; Application B can be published but not switched between modes.
Permissions can be configured separately for users and roles at the data level.
