PromptRails
View as Markdown

Team and Roles

Manage workspace team members with role-based access control including Owner, Admin, and User roles.

Team and Roles

PromptRails provides role-based access control (RBAC) for workspace team management. Each workspace member is assigned a role that determines their permissions.

Role Hierarchy

PromptRails defines three workspace roles with a clear hierarchy:

Owner > Admin > User

Owner

The workspace owner has full control over all resources and settings. There is exactly one owner per workspace (the user who created it).

PermissionAllowed
Manage all resources (agents, prompts, etc.)Yes
Manage credentialsYes
Manage API keysYes
Manage team membersYes
Change member rolesYes
Transfer ownershipYes
Delete the workspaceYes
Manage billing and plansYes

Admin

Admins have broad permissions but cannot perform destructive workspace-level operations.

PermissionAllowed
Manage all resources (agents, prompts, etc.)Yes
Manage credentialsYes
Manage API keysYes
Manage team membersYes
Change member roles (below their level)Yes
Transfer ownershipNo
Delete the workspaceNo
Manage billing and plansYes

User

Users can work with resources but have limited administrative access.

PermissionAllowed
View and execute agentsYes
View and execute promptsYes
View executions and tracesYes
Create and manage their own resourcesYes
Manage credentialsNo
Manage API keysNo
Manage team membersNo
Manage billingNo

Adding Members

Invite new members from the workspace settings in the PromptRails dashboard. Owners and admins can enter the user's email address and assign a role during the invitation flow.

The invited user receives an email with an invitation link. Once accepted, they are added to the workspace with the specified role.

Invitation Flow

  1. Owner/Admin sends invitation -- Specifies email and role
  2. Invitation email sent -- Contains a unique invitation link
  3. User accepts -- Clicks the link and creates an account (if new) or logs in
  4. Member added -- User is added to the workspace with the assigned role

Invitation Statuses

StatusDescription
pendingInvitation sent, awaiting acceptance
acceptedUser accepted the invitation
revokedInvitation was cancelled before acceptance

Removing Members

Remove members from the workspace settings screen in the dashboard.

Removing a member revokes their access immediately. Their previously created resources remain in the workspace.

Changing Roles

Change member roles from the same team management screen in the dashboard.

Role changes take effect immediately for all subsequent requests.

API Key Auth vs User Auth

PromptRails supports two authentication methods:

User Authentication (JWT)

  • Used by the dashboard (frontend)
  • Authenticated via email/password login
  • Permissions based on workspace role
  • Session-based with access + refresh tokens

API Key Authentication

  • Used by SDKs, CLI, and integrations
  • Authenticated via X-API-Key header
  • Permissions based on API key scopes (not user roles)
  • Workspace-scoped (each key belongs to one workspace)

API keys provide more granular control than roles. A user with the "owner" role might create an API key with only agents:read scope for a specific integration.

System Roles

In addition to workspace roles, PromptRails has system-level roles:

RoleDescription
adminPlatform administrator (access to backoffice)
userRegular platform user

System roles are separate from workspace roles. A user can be a system user but a workspace owner.

Plan Limits

Team member counts are subject to plan limits:

PlanMax Team Members
Free1
Starter3
Pro10
EnterpriseUnlimited

Attempting to add members beyond the plan limit returns a 402 Payment Required error.

PreviousWorkspace ManagementNextBilling & Plans