Roles and Permissions

The four Agent Studio roles, the two permission axes behind them, and what each role can do.
View as Markdown

Agent Studio uses two permission axes: editing and runtime. The UI bundles common combinations into four roles, so you can grant access in one step.

This page covers the roles and the permissions behind them.

Per-asset roles are different from workspace roles

This page covers per-asset roles, which control access to individual assets and folders. Workspace roles, such as Agent Studio Admin and Agent Studio Developer, control org-wide Agent Studio access. The per-asset Developer role and the workspace Agent Studio Developer role are not the same thing. For workspace roles, see Manage roles and permissions for Moveworks applications.

The Four Roles

When you grant access to an asset or folder, choose one of four roles.

RoleWhat it grantsTypical use
ManagerFull control: run, edit, and manage accessThe asset owner or a folder administrator
DeveloperBuild, edit, and test the assetAn active builder working on the asset
OperatorRun and reference the asset, but not edit itA consumer who runs or depends on the asset without modifying it
ViewerRead-onlyA read-only observer
Asset access role picker listing Manager, Developer, Operator, and Viewer roles
The role picker shown when granting access to an asset, listing Manager, Developer, Operator, and Viewer.

The Two Permission Axes

Each role maps to editing access, runtime access, or both.

Editing Axis (Authorship)

The editing axis controls who can read and change an asset’s configuration and logic. Each level includes the levels below it:

View < Edit < Manage

  • View: see the asset’s definition and metadata.
  • Edit: modify the asset’s configuration and logic, publish it, and move it between folders.
  • Manage: everything in Edit, plus delete the asset and change who can access it.

Runtime Axis (Execution)

The runtime axis is a single permission:

  • Use: run the asset, test it, view its execution logs, and reference it from another asset.

Use controls both build-time selection and runtime execution. Without it, you cannot pick the asset in a dropdown, run it, or test anything that would execute it.

Why the Axes Are Independent

Editing and runtime answer different questions. Having one does not imply the other.

For example, a developer can have Edit on a Workday HTTP action. They can read and change the action’s logic, but they cannot run it unless they also have Use on the action and the underlying Workday connector.

Teams can let more developers build while limiting execution to the right people.

Use is developer execution, not end-user access

Use decides whether a developer can run or test an asset while building. It does not control which employees can use a published plugin. For that, use End-User Access Control.

How Roles Map to Axes

RoleEditingRuntime
ManagerManageUse
DeveloperEditUse
OperatorViewUse
ViewerViewNone

Permission Matrix

The table below shows what each role can do on a single asset.

ActionViewerOperatorDeveloperManager
View asset definition and metadata
See the asset name for reference
Test or run the asset
Reference the asset in another asset
View execution logs and analytics
Modify asset configuration and logic
Publish the asset
Launch a plugin to users
Move the asset into a folder
Export or import the asset
Delete the asset
Change the asset’s access and sharing

Logs and analytics follow the Use permission. If you can execute an asset, you can see its execution data. Every user also needs a workspace-level Agent Studio role before per-asset permissions apply.

What a Manager Can Do That a Developer Can’t

Both roles can edit, publish, run, and reference an asset. Only a Manager can govern the asset itself:

  • Delete the asset.
  • Change its access and sharing.

To grant someone access to an asset, you need Manager on that asset. An admin can also grant access.