Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.gumloop.com/llms.txt

Use this file to discover all available pages before exploring further.

Organization roles are available on the Pro plan and above. Some feature roles and capabilities require the Enterprise plan.
Gumloop’s roles are additive. A member can hold multiple roles per scope (organization or team), and their effective permissions are the union of every role they hold. Every member implicitly holds the baseline Member role; layer additional roles on top to grant access to specific areas.
For granular, feature-by-feature restrictions (app allowlists, node denylists, concurrency limits), see Custom Roles. That is a separate, complementary system that restricts what organization roles grant. A user can hold multiple custom roles at the same time.

How it works

Union of permissions

A user with {Member, Analytics, Templates} can do everything Member, Analytics, and Templates allow. Revoking one role does not remove permissions granted by another.

Member is implicit

Every org member automatically holds Member. It is not shown in the Manage Roles picker and cannot be removed without removing the user from the org.

Scopes are independent

Organization roles apply across the org. Team roles apply inside a single team. A user can be a Team Admin on one team and a Team Member on another.

Admin vs Feature roles

Admin roles (Admin, Manager) grant broad authority. Feature roles (Security, Developer, Analytics, Templates) grant scoped access to one area.

Organization Roles

Admin

Full control: billing, SSO, members, and every feature area.

Manager

Member operations, credentials, analytics, and templates. No billing or security.

Member

Implicit baseline. Use agents, skills, flowbooks, and personal credentials.

Security

Custom roles, app policies, AI model access, and App Activity.

Developer

Hosted MCPs and Proxied MCPs. Requires Enterprise.

Analytics

Organization analytics, usage, and data export.

Templates

Curate the organization template library.

Admin

Role ID: admin  ·  Group: Admin  ·  Scope: Organization

Can access

  • Billing, subscription, and credit limits
  • SSO, SAML, and SCIM
  • All member operations
  • Organization credentials
  • Team access and team settings
  • Audit logs
  • AI model access, app policies, custom roles
  • Analytics, usage, and data export
  • Organization template library
  • App Activity, Hosted MCPs, and Proxied MCPs (when enabled)

Can assign

Admin, Manager, Security, Developer, Analytics, Templates.
Cannot do: Nothing. Admin has full authority, so treat it as a break-glass role.
When to assign: Organization owners, finance leads, and IT admins. Keep the count small since Admin includes billing and SSO.

Manager

Role ID: manager  ·  Group: Admin  ·  Scope: Organization

Can access

  • Invite, remove, and manage members
  • Organization credentials
  • Analytics, usage, and data export
  • Organization template library

Can assign

Analytics, Templates, Member.
Cannot do: Change billing, SSO, AI model access, app policies, custom roles, or audit logs. Cannot grant Admin, Manager, Security, or Developer.
When to assign: Team leads and ops managers who handle day-to-day onboarding and need usage visibility without billing or security authority.

Member

Role ID: member  ·  Group: Feature  ·  Scope: Organization and Team  ·  Baseline: Yes

Can access

  • Create and use agents, skills, flowbooks, and custom operators
  • Read organization metadata
  • Create teams
  • Manage personal credentials
  • Leave the organization or a team

Can assign

Nothing.
Cannot do: Any management action: billing, members, credentials, analytics, templates, or security controls.
When to assign: Automatic. Every organization member holds Member implicitly. It cannot be removed without removing the user from the organization.

Security

Role ID: security  ·  Group: Feature  ·  Scope: Organization  ·  Plan: Enterprise

Can access

Can assign

Developer.
Cannot do: Billing, SSO, member management, or audit logs. Cannot grant Admin, Manager, or Security.
When to assign: Security engineers, platform leads, and compliance owners who configure guardrails without taking on billing or SSO.

Developer

Role ID: developer  ·  Group: Feature  ·  Scope: Organization  ·  Requires: Enterprise

Can access

Can assign

Nothing.
Cannot do: Any organization management action. Cannot view audit logs or organization-wide App Activity.
When to assign: Builders and integration engineers who need to develop and test Hosted MCPs and Proxied MCPs. Granted by Admin or Security.
Developer is hidden in the Manage Roles UI if Hosted MCPs and Proxied MCPs are not enabled on the organization.

Analytics

Role ID: analytics  ·  Group: Feature  ·  Scope: Organization  ·  Plan: Enterprise

Can access

  • Organization analytics dashboard
  • Usage limits and credit consumption
  • Data export

Can assign

Nothing.
Cannot do: Member management, credentials, templates, security controls, or billing.
When to assign: Finance, FP&A, and data analysts who need usage visibility without member or template authority. Granted by Admin or Manager.

Templates

Role ID: templates  ·  Group: Feature  ·  Scope: Organization

Can access

  • Approve, reject, and delist template submissions
  • Manage the organization template gallery
  • Control template visibility across the organization

Can assign

Nothing.
Cannot do: Member management, credentials, analytics, or security controls.
When to assign: Internal enablement leads and workflow curators who own the shared template library. Granted by Admin or Manager.

Team Roles

Teams use a simpler two-role system.

Team Admin

Role ID: admin (team scope)  ·  Scope: Team

Can access

  • All team content (agents, flowbooks, skills, custom operators)
  • Team credentials
  • Team analytics
  • Team membership

Can assign

Team Admin, Team Member.
Cannot do: Anything outside the team. Team roles do not grant organization-level authority.
When to assign: People who own a team’s content end-to-end, including onboarding teammates and managing credentials.

Team Member

Role ID: member (team scope)  ·  Scope: Team  ·  Baseline: Yes

Can access

Read access to team content.

Can assign

Nothing.
Cannot do: Manage team membership, credentials, or team roles.
When to assign: Automatic. Every team member holds Team Member implicitly.
Organization ceiling: org Admins hold organization:manage_team_access, which lets them manage team memberships and team roles on every team in the organization, regardless of their team-level role. This is how org admins unblock access issues.

Managing Roles

Roles are assigned and revoked individually from the Manage Roles sheet. You pick the exact combination of roles the user should hold. This is not a promote or demote action.
Manage Roles sheet showing Admin and Feature role groups with checkboxes, each role paired with a View details link.
1

Open the members page

Go to Organization Members or a team’s Members tab.
2

Open Manage Roles

Click the three-dot menu next to the member and choose Manage Roles. The sheet opens with every role the member currently holds pre-selected.
3

Toggle and save

Check or uncheck any available role and click Save. Roles you are not authorized to assign are hidden. Effective permissions update immediately.

Adding a new member with roles

Pre-assign organization roles when you invite someone so they land with the right permissions as soon as they accept.
Add Member to Organization modal with fields for email, a multi-select Roles picker showing Member, Manager, Security selected, a Custom Roles selector, and a Teams selector.
  • Roles is a multi-select. Every invitee gets Member implicitly; pick any additional roles your own role lets you assign.
  • Custom Roles picks one or more Custom Roles that apply subtractive restrictions on top of the organization roles. New invitees automatically join the default custom role; you can layer additional custom roles on top.
  • Teams adds the invitee to one or more teams.

Best practices

Every user starts as Member automatically. Add the narrowest additional roles that match their responsibilities. You can always add more later.
If someone only needs analytics visibility, grant Analytics, not Manager. If they only curate templates, grant Templates. Keep the high-authority list short.
Custom roles, app policies, and AI model access no longer require Admin. Grant Security so platform and security teams can own guardrails without billing or SSO.
Additive roles make it easy to accumulate extras. Run a quarterly review and remove roles that are no longer needed.

How permissions resolve

When someone takes an action, Gumloop checks three things. The action goes through only if all three agree.

1. Roles

The union of everything your organization and team roles grant at the relevant scope. This is the ceiling on what you can do.

2. Item sharing

For a specific agent, flowbook, or skill, the owner can grant you Editor, Viewer, or Use only. Sharing overrides the default per item.

3. Custom roles

Your Custom Roles can subtract from what roles and sharing allow. For example, they can block certain apps or nodes. A user can hold multiple custom roles, and the effective restriction is composed across all of them.
In short: organization and team roles set the ceiling, sharing adjusts access per item, and custom roles can subtract on top.

Role Comparison

Users with multiple roles get the union of the “Yes” columns.
CapabilityAdminManagerSecurityDeveloperAnalyticsTemplatesMember
Billing and subscriptionYesNoNoNoNoNoNo
SSO / SAML / SCIMYesNoNoNoNoNoNo
Add and remove membersYesYesNoNoNoNoNo
Assign rolesAllAnalytics, Templates, MemberDeveloperNoNoNoNo
Audit logsYesNoNoNoNoNoNo
AI model access controlsYesNoYesNoNoNoNo
App policiesYesNoYesNoNoNoNo
Custom rolesYesNoYesNoNoNoNo
Organization credentialsYesYesNoNoNoNoNo
Org analytics, usage, data exportYesYesNoNoYesNoNo
Manage templatesYesYesNoNoNoYesNo
Create agents, skills, flowbooks, custom operatorsYesYesYesYesYesYesYes
Create teamsYesYesYesYesYesYesYes
App Activity & MCP management (Enterprise)YesNoYesYesNoNoNo
Team Admin can assign Team Admin and Team Member inside the team. Team Member is implicit and has read access to team content.

Custom Roles

Additive restriction roles that subtract from what organization roles grant.

App Policies

Allow or block specific apps for users.

AI Model Access Controls

Restrict which AI models users can call.

Audit Logging

Track every administrative action.

Teams

Group users and content for shared access.