GovernOrganization
RBAC Roles
Built-in roles · Custom roles · Three permission tiers · Multi-role union
Roles are Evose's starting granularity for permissions. A user can have multiple roles, and permissions are the union.
Built-in Roles
| Role | Permissions |
|---|---|
| System administrator | All — assign carefully |
| Default role | The org can customize the default permission set |
| Read-only role | View only, no changes |
Custom Roles
Organizations can create any role, e.g.:
| Example | Use |
|---|---|
| New hire | Restricted permissions; joining a workspace requires approval |
| Partner | Access to specified workspaces only |
| App builder | Cross-workspace Agent / Workflow editing rights |
| Finance audit | Org-wide read-only + observability |
Three Permission Tiers
Permissions stack in three layers, precision increases top-down:
→ Resource policy ACL governs Layer C
Multi-Role Union
A user can have multiple roles simultaneously:
Permissions are OR (union): any role allowing = allowed.
Permission Conflicts
When RBAC and resource ACL conflict, ACL wins. Example:
- Role "Marketing edit" allows editing Agent A
- Agent A's ACL explicitly denies Alice
→ Alice cannot edit Agent A.
Role Lifecycle
| Action | Who |
|---|---|
| Create role | Org admin |
| Edit permissions | Org admin |
| Add members | Org admin |
| Delete role | Org admin |
Tie-In with Member Management
Members & departments maintains the directory; roles are referenced there:
Next Steps
- Configure resource policies → Resource policy
- Refine inside a workspace → Workspace · Members & permissions