RelevanceAI · claude · Apr 9, 2026
diff --git a/admin/project-management/add-members.mdx b/admin/project-management/add-members.mdx
@@ -7,7 +7,7 @@
 ## Add members to your project

 <div style={{ width:"100%",position:"relative",paddingTop:"56.25%"}}>
 <iframe src="https://app.supademo.com/embed/cm79y3ykd0ofr11onwku5zrg0" frameBorder="0" title="Invite a user to a project in Relevance AI" allow="clipboard-write; fullscreen" webkitAllowFullscreen="true" mozAllowFullscreen="true" allowFullscreen style={{ position:"absolute",top:0,left:0,width:"100%",height:"100%",border:"3px solid #5E43CE",borderRadius:"10px" }} />
 </div>

 1. Click on `Settings` in the left-side pane of the dashboard.
@@ -17,7 +17,7 @@
 
 ### User roles
 
-Members in your organization can be assigned the following roles: Admin, Editor and Viewer. These roles determine what they can do inside of the platform, and what they can do when using the API.
+Members in your organization can be assigned the following roles: Admin, Editor, Chat, and Viewer. These roles determine what they can do inside of the platform, and what they can do when using the API.
 
 <AccordionGroup>
   <Accordion title="Admin" icon="user-tie-hair-long" iconType="duotone">
@@ -41,19 +41,18 @@
 
     - Can run agents and tools.
   </Accordion>
+  <Accordion title="Chat" icon="message" iconType="duotone">
+    Access [Relevance Chat](/get-started/chat/introduction) only — cannot access the web app. Requires asset-level permissions to run specific agents.
+  </Accordion>
   <Accordion title="Viewer" icon="book-open-reader" iconType="duotone">
-    **Has read permissions for:**
-
-    - All datasets
-    - All knowledge sets
-    - All agents
-
-    **Other permissions:**
-
-    - Can run agents.
+    View agents, tools, and knowledge outputs only. Cannot run agents, create assets, or edit anything.
   </Accordion>
 </AccordionGroup>
 
+<Info>
+For comprehensive permission details including enterprise RBAC controls, see [Role-based access controls](/enterprise/rbac).
+</Info>
+
 ### Cancel pending invitations
 
 If you've sent an invitation that hasn't been accepted yet, you can cancel it before the recipient responds. Only the person who created the invitation or a project admin can cancel pending invitations.

diff --git a/enterprise/rbac.mdx b/enterprise/rbac.mdx
@@ -32,7 +32,7 @@

 ### Project Level

 - **Admins** — own the project setup and governance. They control permission and authentication accounts.
 - **Editors** — build, edit, and run all assets in the project. Treat them as your core contributors.
 - **Members** — can build their own assets but don't automatically see or edit others'. Great for independent work within shared projects.
 - **Chat** — access [Relevance Chat](/get-started/chat/introduction) only, cannot access the web app. Perfect for users who only need to interact with agents through chat. Requires asset-level permissions to run specific agents.
@@ -57,7 +57,7 @@
 | **Role**   | **Capabilities**                                                                                 |
 | ---------- | ------------------------------------------------------------------------------------------------ |
 | **Owner**  | Full control of organization, billing, security, users and all projects                          |
 | **Admin**  | Manage users, projects, organization-level API keys and OAuths                                   |
 | **Member** | Access only assigned projects. Cannot create projects at organization level. Asset creation within projects is controlled by project-level permissions. |
 | **Viewer** | View-only access to agent and tool audit logs, usage data and compliance reports                 |

@@ -68,7 +68,7 @@
 | Manage billing                                         | ✅         | ❌         | ❌          | ❌          |
 | Manage organization settings (name, logo, domain etc.) | ✅         | ✅         | ❌          | ❌          |
 | Manage organization users                              | ✅         | ✅         | ❌          | ❌          |
 | Manage API keys & OAuths (Org-level connections)       | ✅         | ✅         | ❌          | ❌          |
 | View global audit logs                                 | ✅         | ✅         | ❌          | ❌          |
 | View all projects and agents                           | ✅         | ✅         | ❌          | ❌          |
 | Delete any asset                                       | ✅         | ✅         | ❌          | ❌          |
@@ -93,6 +93,10 @@
 | **Chat**   | Access [Relevance Chat](/get-started/chat/introduction) only - cannot access the web app. Requires asset-level permissions to run agents. |
 | **Viewer** | View agents, tools, and knowledge outputs only, cannot run or edit anything                |
 
+<Info>
+Editor is a project-level role only and does not exist at organization or asset levels. Project Editors automatically have Admin permissions on all assets within the project.
+</Info>
+
 ### Permissions
 
 <Tip>
@@ -103,7 +107,7 @@
 | :------------------------------------- | :-------- | :--------- | :--------- | :--------- | :------- |
 | Delete project                         | ✅         | ❌          | ❌          | ❌          | ❌        |
 | Assign project roles to users          | ✅         | ❌          | ❌          | ❌          | ❌        |
 | Manage project-level API keys & OAuths | ✅         | ❌          | ❌          | ❌          | ❌        |
 | Delete agents                          | ✅         | ✅          | ❌          | ❌          | ❌        |
 | View all assets by default             | ✅         | ✅          | ❌          | ❌          | ❌        |
 | Edit/run assets they did not create    | ✅         | ✅          | ❌          | ❌          | ❌        |
@@ -113,6 +117,9 @@
 | Access Web App                         | ✅         | ✅          | ✅          | ✅          | ❌        |
 | Run a chat (LLM)                       | ✅         | ✅          | ✅          | ✅          | ✅        |
 
+<Info>
+Project Viewer access grants read-only visibility to full asset configurations — including prompts, tools, and steps. There is no field-level redaction. If a Viewer cannot see an agent's internals, it's because they lack asset-level access entirely, not because their read access is limited to metadata.
+</Info>
 
 ### Chat Role Details
 
@@ -136,7 +143,7 @@
  </Accordion>

  <Accordion title="LLM conversations">
    Can have conversations with LLMs and in-built Chat Agents directly without agents.
  </Accordion>

  <Accordion title="More powerful than Viewer">
@@ -180,6 +187,10 @@
 | View asset outputs              | ✅         | ✅          | ✅          |
 | View asset audit logs           | ✅         | ✅          | ✅          |
 
+<Info>
+Asset Viewer access grants read-only visibility to full asset configurations — including prompts, tools, and steps. There is no field-level redaction. If a Viewer cannot see an agent's internals, it's because they lack asset-level access entirely, not because their read access is limited to metadata.
+</Info>
+
 ----
 
 ## Workforce Permissions
@@ -206,11 +217,39 @@
 </Info>

 <Tip>
 Learn more about [sharing workforces](/build/workforces/share-your-workforce) as cloneable templates.
 </Tip>
 
 ----
 
+## Permission inheritance and cascading
+
+Permissions cascade automatically from project level to assets within that project:
+
+| Project role | Automatic asset access |
+| ------------ | ---------------------- |
+| **Admin**    | Admin on all assets    |
+| **Editor**   | Admin on all assets    |
+| **Viewer**   | Viewer on all assets   |
+
+<Warning>
+Read access cascades automatically, but execution permissions (run/trigger) may require explicit asset-level grants due to known gaps in the system. If a project Viewer needs to run specific agents, grant them Member access at the asset level explicitly.
+</Warning>
+
+Project Members do **not** automatically have access to all assets. Members must be granted asset-level permissions explicitly for each asset they need to access.
+
+----
+
+## Technical implementation notes
+
+The following is relevant primarily for API users and developers integrating directly with the authorization system.
+
+- **Member vs operator:** The "Member" role label in the UI maps to the `operator` role in the underlying authorization system. When querying permissions via the API, use `operator` rather than `member`.
+- **Authorization system:** The platform uses OpenFGA for authorization. Some parts of the system use a legacy authorization layer that may produce slightly different behavior in edge cases.
+- **Embeddable agents:** Agents shared via public embed links (Chat UI, Chat Widget) may behave differently under the legacy authorization system. Test permissions explicitly when deploying embedded agents.
+
+----
+
 ## Frequently asked questions (FAQs)
 
 <AccordionGroup>