| Role | Scope of control | What they can typically do |
|---|---|---|
| Global Admin | The entire organization | Full control: manage all users, teams, projects, assistants, and corpora; configure organization settings; create and assign Permission Sets. This is the highest level of access. |
| Application Admin | Application-level functions and resources | Elevated administrative access over many areas and shared resources, but without full organization-admin authority. Sits below a Global Admin. |
| User | Only the resources they own or are granted | Works within their own assistants, projects, and corpora, plus anything explicitly shared with them. |
Note: On any individual resource (a specific assistants, team, or project), a user can additionally hold an Admin or Member access, which further refines what they can do with that one item — independent of their org-wide role.
| Share level | What it can unlock (given a matching Permission Set) |
|---|---|
| member | View only. |
| admin | View, edit, delete, and publish. |
Note — team shares differ: A direct share to a team behaves slightly differently — it is gated at team scope rather than by the scope-agnostic capability. The capability-based resolution described above applies to shares made directly to an individual user.
Quick reference
Rule Detail System sets Scopes are locked; only the default toggle and user assignments can change. Minimum defaults At least one default must always exist in the organization. Last default Its default field cannot be toggled off while it's the only default. New users All default sets are auto-assigned to every new user. Per-user limit Maximum of 20 Permission Sets per user at a time.