Skip to main content
Braintrust provides flexible access control at organization, project, and object levels. Use permission groups to grant users specific permissions across resources.

Built-in permission groups

Braintrust provides built-in permission groups for managing team access:
  • Owners: Full access to organization, data, and settings. Can invite/remove members, manage permissions, and delete resources. Permissions cascade to all projects.
  • Engineers: Can create, read, update, and delete projects and resources. Cannot manage members or access controls. Permissions cascade to all projects
  • Viewers: Read-only access to all projects and resources. Cannot create, update, or delete anything. Permissions cascade to all projects.
These groups are scoped to the entire organization and cannot be deleted. Assign users to built-in groups when inviting them or from Settings > Members.
Starter plan includes the Owners group only. Pro and Enterprise plans include all built-in groups.

Create custom permission groups

Build groups with specific permissions:
only available on the Enterprise plan.
  1. Go to Settings > Organization > Permission groups.
  2. Click Create permission group.
  3. Enter group name and description.
  4. Click Create.
After creating a group, configure its permissions.

Set organization permissions

Grant organization-level permissions to custom groups:
  1. Find the group in the permission groups list.
  2. Click Permissions.
  3. Select organization-level permissions:
    • Manage settings: Change organization configuration.
    • Manage members: Invite users.
    • Remove members: Remove users (organizations must have at least one member).
    • Manage access: Grant and revoke permissions (super-user ability).
  4. Select permissions for all projects:
    • Read: View all projects and their resources.
    • Create: Create experiments, logs, datasets in all projects.
    • Update: Modify existing resources in all projects.
    • Delete: Remove resources from all projects.
    • Manage access: Grant permissions on all projects.
  5. Click Save.
Manage access is a super-user permission. Users with this permission can grant themselves any other permission. Assign it carefully.Manage settings grants users the ability to change organization-level settings like the API URL.

Set project permissions

Limit group access for a specific project, including object-level permissions:
  1. Create a custom permission group.
  2. In your project, go to Settings > Project > Project permissions.
  3. Search for your group.
  4. Click the pencil icon next to the group.
  5. Select project permissions:
    • Read: View project and its resources.
    • Create: Create experiments, logs, datasets.
    • Update: Modify existing resources.
    • Delete: Remove resources.
    • Manage access: Grant permissions on this project.
  6. Select object-level permissions for experiments, datasets, logs, prompts, and playgrounds:
    • Create: Create the object.
    • Read: View the object.
    • Update: Modify the object.
    • Delete: Remove the object.
    • Manage access: Grant permissions on this object.
  7. Click Save.
Users must have Read permission on a project to see it in the UI.

Manage group membership

Add or remove users from permission groups:
  1. Go to Settings > Organization > Permission groups.
  2. Find the group in the permission groups list.
  3. Click Members.
  4. To add: Search for users and click +.
  5. To remove: Click the x next to a user’s name.
Users can belong to multiple permission groups. Their effective permissions are the union of all group permissions.

Use service accounts

Service accounts provide credentials for system integrations:
  1. Go to Settings > Organization > Service tokens.
  2. Click + Service token.
  3. Enter service account name.
  4. Assign permission groups or grant specific permissions.
  5. Click Create.
  6. Copy and save the auto-generated service token somewhere safe and accessible. For security reasons, you will not be able to view it again. If you lose the service token, you must create a new one.
  7. Use the token like an API key in SDK or API calls.
Service accounts are not tied to individual users. They maintain access even when team members leave.
Only organization owners can create and manage service accounts.For hybrid deployments, you must configure a service token for the data plane to enable features like data retention. See Data plane manager for more details.

Programmatic access control

To automate the creation of permission groups and their access control rules, use the Braintrust API. See the API reference for groups and permissions.

Next steps