RelevanceAI · claude · Apr 10, 2026
diff --git a/admin/project-management/add-members.mdx b/admin/project-management/add-members.mdx
@@ -4,10 +4,14 @@
 description: "Add members to your project to collaborate with your team."
 ---
 
+<Info>
+  This page describes the legacy permission system (Admin, Editor, Viewer) used by organizations that have not yet migrated to RBAC. If your organization has RBAC enabled, see [Role-based access controls (RBAC)](/enterprise/rbac) for the current permission model and role definitions.
+</Info>
+
 ## Add members to your project
 
 <div style={{ width:"100%",position:"relative",paddingTop:"56.25%"}}>
 <iframe src="https://app.supademo.com/embed/cm79y3ykd0ofr11onwku5zrg0" frameBorder="0" title="Invite a user to a project in Relevance AI" allow="clipboard-write; fullscreen" webkitAllowFullscreen="true" mozAllowFullscreen="true" allowFullscreen style={{ position:"absolute",top:0,left:0,width:"100%",height:"100%",border:"3px solid #5E43CE",borderRadius:"10px" }} />
 </div>

 1. Click on `Settings` in the left-side pane of the dashboard.

diff --git a/enterprise/rbac.mdx b/enterprise/rbac.mdx
@@ -32,7 +32,7 @@

 ### Project Level

 - **Admins** — own the project setup and governance. They control permission and authentication accounts.
 - **Editors** — build, edit, and run all assets in the project. Treat them as your core contributors.
 - **Members** — can build their own assets but don't automatically see or edit others'. Great for independent work within shared projects.
 - **Chat** — access [Relevance Chat](/get-started/chat/introduction) only, cannot access the web app. Perfect for users who only need to interact with agents through chat. Requires asset-level permissions to run specific agents.
@@ -57,7 +57,7 @@
 | **Role**   | **Capabilities**                                                                                 |
 | ---------- | ------------------------------------------------------------------------------------------------ |
 | **Owner**  | Full control of organization, billing, security, users and all projects                          |
 | **Admin**  | Manage users, projects, organization-level API keys and OAuths                                   |
 | **Member** | Access only assigned projects. Cannot create projects at organization level. Asset creation within projects is controlled by project-level permissions. |
 | **Viewer** | View-only access to agent and tool audit logs, usage data and compliance reports                 |

@@ -68,7 +68,7 @@
 | Manage billing                                         | ✅         | ❌         | ❌          | ❌          |
 | Manage organization settings (name, logo, domain etc.) | ✅         | ✅         | ❌          | ❌          |
 | Manage organization users                              | ✅         | ✅         | ❌          | ❌          |
 | Manage API keys & OAuths (Org-level connections)       | ✅         | ✅         | ❌          | ❌          |
 | View global audit logs                                 | ✅         | ✅         | ❌          | ❌          |
 | View all projects and agents                           | ✅         | ✅         | ❌          | ❌          |
 | Delete any asset                                       | ✅         | ✅         | ❌          | ❌          |
@@ -103,7 +103,7 @@
 | :------------------------------------- | :-------- | :--------- | :--------- | :--------- | :------- |
 | Delete project                         | ✅         | ❌          | ❌          | ❌          | ❌        |
 | Assign project roles to users          | ✅         | ❌          | ❌          | ❌          | ❌        |
 | Manage project-level API keys & OAuths | ✅         | ❌          | ❌          | ❌          | ❌        |
 | Delete agents                          | ✅         | ✅          | ❌          | ❌          | ❌        |
 | View all assets by default             | ✅         | ✅          | ❌          | ❌          | ❌        |
 | Edit/run assets they did not create    | ✅         | ✅          | ❌          | ❌          | ❌        |
@@ -136,7 +136,7 @@
  </Accordion>

  <Accordion title="LLM conversations">
    Can have conversations with LLMs and in-built Chat Agents directly without agents.
  </Accordion>

  <Accordion title="More powerful than Viewer">
@@ -206,11 +206,68 @@
 </Info>

 <Tip>
 Learn more about [sharing workforces](/build/workforces/share-your-workforce) as cloneable templates.
 </Tip>
 
 ----
 
+## Transitioning to RBAC
+
+If your organization is being migrated from legacy permissions to RBAC, this section covers what changes, what stays the same, and what actions you need to take.
+
+### Before RBAC (legacy permissions)
+
+The legacy permission system had three roles — Admin, Editor, and Viewer — applied at the project and organization level only:
+
+- **Admin** — full read and write access to all assets and settings
+- **Editor** — read and write access to all datasets, knowledge sets, and agents; could run agents and tools
+- **Viewer** — read access to all datasets, knowledge sets, and agents; could run agents
+
+There was no asset-level granularity. All users with a given role had the same access to every asset in the project by default. Shared credentials (API keys, OAuths) applied project-wide.
+
+### During the migration
+
+The Relevance AI team handles the technical migration to RBAC. You do not need to manually migrate roles, but you should review and adjust assignments after migration is complete.
+
+**How legacy roles map to RBAC roles by default:**
+
+| Legacy role | Default RBAC role (project level) |
+|-------------|-----------------------------------|
+| Admin       | Admin                             |
+| Editor      | Editor                            |
+| Viewer      | Viewer                            |
+
+<Warning>
+  The Viewer role changes significantly under RBAC. Legacy Viewers could run agents — RBAC Viewers cannot run anything and can only view assets they have been explicitly granted access to. Users who only need to interact with agents via chat should be assigned the Chat role, not Viewer.
+</Warning>
+
+After migration, review every user mapped to Viewer and determine whether they should be:
+- **Chat** — for users who only need to use agents through [Relevance Chat](/get-started/chat/introduction)
+- **Viewer** — for users who genuinely only need read access to asset configurations and outputs
+- **Member** — for users who need to run agents
+
+### After RBAC is enabled
+
+Once RBAC is active for your organization:
+
+- **Asset-level permissions are enforced.** Access to individual agents, tools, and knowledge bases is controlled separately from project-level roles.
+- **Project Editors and Admins retain full access** to all assets in that project automatically — project Admin and Editor roles cascade to asset Admin on all assets in the project.
+- **Members, Viewers, and Chat users need explicit asset-level permissions.** Without a grant, they will receive a 403 error when attempting to access an asset.
+- **Shared credentials can be scoped per tool.** Rather than all project members sharing one set of credentials, asset admins can assign specific authentication accounts per tool.
+- **Permissions are assigned via the Share modal** on each individual agent, tool, or knowledge base.
+
+### Action items for admins
+
+After RBAC is enabled, complete these steps to restore appropriate access for your team:
+
+- **Review user roles immediately.** Check that the default role mappings match your intended access levels, particularly for legacy Viewer accounts.
+- **Assign asset-level permissions** using the Share modal on each agent, tool, and knowledge base that non-Admin/Editor users need to access.
+- **Use RBAC Groups for bulk assignment.** If many users need the same access, create a group and assign asset permissions to the group rather than individual users.
+- **Audit chat-only users.** Confirm that users who only need [Relevance Chat](/get-started/chat/introduction) access are assigned the Chat project role, not Viewer.
+- **Verify critical users can access required assets.** Test access for key team members, especially those with Member or Viewer roles, before announcing the migration is complete.
+
+----
+
 ## Frequently asked questions (FAQs)
 
 <AccordionGroup>