Skip to main content
Organization roles are available on the Pro plan and above. Some feature roles and capabilities require the Enterprise plan.
Gumloop uses a composable role system. A member can hold multiple roles per scope (organization or team), and their effective permissions are the union of every role they hold. Every member implicitly holds the baseline Member role; layer additional roles on top to grant access to specific areas.
For granular, feature-by-feature restrictions (app allowlists, node denylists, concurrency limits), see Custom User Roles. That is a separate, complementary system that restricts what composable roles grant.

How it works

Union of permissions

A user with {Member, Analytics, Templates} can do everything Member, Analytics, and Templates allow. Revoking one role does not remove permissions granted by another.

Member is implicit

Every org member automatically holds Member. It is not shown in the Manage Roles picker and cannot be removed without removing the user from the org.

Scopes are independent

Organization roles apply across the org. Team roles apply inside a single team. A user can be a Team Admin on one team and a Team Member on another.

Admin vs Feature roles

Admin roles (Admin, Manager) grant broad authority. Feature roles (Security, Developer, Analytics, Templates) grant scoped access to one area.

Organization Roles

Admin

Full control: billing, SSO, members, and every feature area.

Manager

Member operations, credentials, analytics, and templates. No billing or security.

Member

Implicit baseline. Use agents, skills, flowbooks, and personal credentials.

Security

Permission groups, app policies, AI model access, and Gumstack security.

Developer

Gumstack servers and tools. Requires Gumstack on the org.

Analytics

Organization analytics, usage, and data export.

Templates

Curate the organization template library.

Admin

Role ID: admin  ·  Group: Admin  ·  Scope: Organization

Can access

  • Billing, subscription, and credit limits
  • SSO, SAML, and SCIM
  • All member operations
  • Organization credentials
  • Team access and team settings
  • Audit logs
  • AI model access, app policies, permission groups
  • Analytics, usage, and data export
  • Organization template library
  • Full Gumstack access (when enabled)

Can assign

Admin, Manager, Security, Developer, Analytics, Templates.
Cannot do: Nothing. Admin has full authority, so treat it as a break-glass role.
When to assign: Organization owners, finance leads, and IT admins. Keep the count small since Admin includes billing and SSO.

Manager

Role ID: manager  ·  Group: Admin  ·  Scope: Organization

Can access

  • Invite, remove, and manage members
  • Organization credentials
  • Analytics, usage, and data export
  • Organization template library

Can assign

Analytics, Templates, Member.
Cannot do: Change billing, SSO, AI model access, app policies, permission groups, or audit logs. Cannot grant Admin, Manager, Security, or Developer.
When to assign: Team leads and ops managers who handle day-to-day onboarding and need usage visibility without billing or security authority.

Member

Role ID: member  ·  Group: Feature  ·  Scope: Organization and Team  ·  Baseline: Yes

Can access

  • Create and use agents, skills, flowbooks, and custom operators
  • Read organization metadata
  • Create teams
  • Manage personal credentials
  • Leave the organization or a team

Can assign

Nothing.
Cannot do: Any management action: billing, members, credentials, analytics, templates, or security controls.
When to assign: Automatic. Every organization member holds Member implicitly. It cannot be removed without removing the user from the organization.

Security

Role ID: security  ·  Group: Feature  ·  Scope: Organization  ·  Plan: Enterprise

Can access

Can assign

Developer.
Cannot do: Billing, SSO, member management, or audit logs. Cannot grant Admin, Manager, or Security.
When to assign: Security engineers, platform leads, and compliance owners who configure guardrails without taking on billing or SSO.

Developer

Role ID: developer  ·  Group: Feature  ·  Scope: Organization  ·  Requires: Gumstack

Can access

  • Gumstack servers and tools
  • Gumstack analytics for their own servers and tools
  • Standard content (agents, skills, flowbooks, custom operators) via Member

Can assign

Nothing.
Cannot do: Any organization management action. Cannot view audit logs or other organizations’ Gumstack analytics.
When to assign: Builders and integration engineers who need to develop and test against Gumstack. Granted by Admin or Security.
Developer is hidden in the Manage Roles UI if Gumstack is not enabled on the organization.

Analytics

Role ID: analytics  ·  Group: Feature  ·  Scope: Organization  ·  Plan: Enterprise

Can access

  • Organization analytics dashboard
  • Usage limits and credit consumption
  • Data export

Can assign

Nothing.
Cannot do: Member management, credentials, templates, security controls, or billing.
When to assign: Finance, FP&A, and data analysts who need usage visibility without member or template authority. Granted by Admin or Manager.

Templates

Role ID: templates  ·  Group: Feature  ·  Scope: Organization

Can access

  • Approve, reject, and delist template submissions
  • Manage the organization template gallery
  • Control template visibility across the organization

Can assign

Nothing.
Cannot do: Member management, credentials, analytics, or security controls.
When to assign: Internal enablement leads and workflow curators who own the shared template library. Granted by Admin or Manager.

Team Roles

Teams use a simpler two-role system.

Team Admin

Role ID: admin (team scope)  ·  Scope: Team

Can access

  • All team content (agents, flowbooks, skills, custom operators)
  • Team credentials
  • Team analytics
  • Team membership

Can assign

Team Admin, Team Member.
Cannot do: Anything outside the team. Team roles do not grant organization-level authority.
When to assign: People who own a team’s content end-to-end, including onboarding teammates and managing credentials.

Team Member

Role ID: member (team scope)  ·  Scope: Team  ·  Baseline: Yes

Can access

Read access to team content.

Can assign

Nothing.
Cannot do: Manage team membership, credentials, or team roles.
When to assign: Automatic. Every team member holds Team Member implicitly.
Organization ceiling: org Admins hold organization:manage_team_access, which lets them manage team memberships and team roles on every team in the organization, regardless of their team-level role. This is how org admins unblock access issues.

Managing Roles

Roles are assigned and revoked individually from the Manage Roles sheet. You pick the exact combination of roles the user should hold. This is not a promote or demote action.
Manage Roles sheet showing Admin and Feature role groups with checkboxes, each role paired with a View details link.
1

Open the members page

Go to Organization Members or a team’s Members tab.
2

Open Manage Roles

Click the three-dot menu next to the member and choose Manage Roles. The sheet opens with every role the member currently holds pre-selected.
3

Toggle and save

Check or uncheck any available role and click Save. Roles you are not authorized to assign are hidden. Effective permissions update immediately.

Adding a new member with roles

Pre-assign composable roles when you invite someone so they land with the right permissions as soon as they accept.
Add Member to Organization modal with fields for email, a multi-select Roles picker showing Member, Manager, Security selected, a User Permission Group selector, and a Teams selector.
  • Roles is a multi-select. Every invitee gets Member implicitly; pick any additional roles your own role lets you assign.
  • User Permission Group picks the Custom User Role that applies subtractive restrictions on top of the composable roles. The default is General.
  • Teams adds the invitee to one or more teams.

Best practices

Every user starts as Member automatically. Add the narrowest additional roles that match their responsibilities. You can always add more later.
If someone only needs analytics visibility, grant Analytics, not Manager. If they only curate templates, grant Templates. Keep the high-authority list short.
Permission groups, app policies, and AI model access no longer require Admin. Grant Security so platform and security teams can own guardrails without billing or SSO.
Composable roles make it easy to accumulate extras. Run a quarterly review and remove roles that are no longer needed.

How permissions resolve

When someone takes an action, Gumloop checks three things. The action goes through only if all three agree.

1. Roles

The union of everything your composable roles grant at the relevant scope (organization or team). This is the ceiling on what you can do.

2. Item sharing

For a specific agent, flowbook, or skill, the owner can grant you Editor, Viewer, or Use only. Sharing overrides the default per item.

3. Permission group

Your Custom User Role can subtract from what roles and sharing allow. For example, it can block certain apps or nodes.
In short: roles set the ceiling, sharing adjusts access per item, and permission groups can subtract on top.

Role Comparison

Users with multiple roles get the union of the “Yes” columns.
CapabilityAdminManagerSecurityDeveloperAnalyticsTemplatesMember
Billing and subscriptionYesNoNoNoNoNoNo
SSO / SAML / SCIMYesNoNoNoNoNoNo
Add and remove membersYesYesNoNoNoNoNo
Assign rolesAllAnalytics, Templates, MemberDeveloperNoNoNoNo
Audit logsYesNoNoNoNoNoNo
AI model access controlsYesNoYesNoNoNoNo
App policiesYesNoYesNoNoNoNo
Permission groups (Custom User Roles)YesNoYesNoNoNoNo
Organization credentialsYesYesNoNoNoNoNo
Org analytics, usage, data exportYesYesNoNoYesNoNo
Manage templatesYesYesNoNoNoYesNo
Create agents, skills, flowbooks, custom operatorsYesYesYesYesYesYesYes
Create teamsYesYesYesYesYesYesYes
Gumstack access (with Gumstack)YesNoYesYesNoNoNo
Team Admin can assign Team Admin and Team Member inside the team. Team Member is implicit and has read access to team content.

Custom User Roles

Permission groups that restrict what composable roles grant.

App Policies

Allow or block specific apps for users.

AI Model Access Controls

Restrict which AI models users can call.

Audit Logging

Track every administrative action.

Teams

Group users and content for shared access.