Roles — Understanding Permissions in TraptureIQ
Every user in your workspace is assigned exactly one role. The role determines which platform sections and actions the user can access. This page provides a complete breakdown of both roles.
Tenant Admin — Full Control
The Tenant Admin is the "power user" who manages the workspace. You become a Tenant Admin automatically when you create a workspace, and you can promote other users to Admin.
What Tenant Admins Can Do:
| Category | Capabilities |
|---|---|
| Agent Management | Register, edit, deactivate, and delete agents |
| User Management | Invite users, change roles, disable/delete accounts, configure section access |
| Security | Enable/disable AgentGuard, configure firewalls, monitor safety events |
| Billing | Manage subscription, view payment history, generate API keys |
| All Platform Sections | Access every module without restriction |
Admin-Only Sections (only visible to Admins — cannot be granted to Tenant Users):
| Section | What It Does |
|---|---|
| Admin & Access Management | Agent dashboard, user management, agent access control, permission matrix, settings |
| Analytics | Usage dashboards — request volume, latency, error rates, tool usage |
| Cost Control | Token usage and LLM cost tracking per agent/user/session |
| AgentGuard | AI safety guardrails — firewalls, PII detection, content safety monitoring |
| Intelligence | Agent reasoning insights and behavior patterns |
Tenant User — Configurable Access
The standard role for everyday use. Tenant Users can only access sections that a Tenant Admin has explicitly enabled for them.
Configurable Sections (enabled/disabled per user by an Admin — all enabled by default):
| Section | What It Does |
|---|---|
| Agents | Browse and chat with assigned agents |
| Traces | View agent execution traces and user journeys |
| Logs | View system and agent logs |
| Eval | Run custom, security, and load test evaluations |
| Session | View chat session history and statistics |
| Prompts | Create and manage versioned prompt templates |
| MCP Debug | Debug MCP integrations and test MCP tools |
Always-Accessible Section (visible to all users, no configuration needed):
| Section | What It Does |
|---|---|
| Analyser | Token counting and cost estimation tool |
Admin-Only Sections (Tenant Users cannot access these regardless of configuration):
| Section | What It Does |
|---|---|
| Admin & Access Management | User management, settings, and permissions |
| Analytics | Usage and performance dashboards |
| Cost Control | Token cost monitoring |
| AgentGuard | AI safety guardrails and monitoring |
| Intelligence | Agent reasoning insights and behavior patterns |
Role Comparison Table
| Capability | Tenant Admin | Tenant User |
|---|---|---|
| Chat with assigned agents | Yes | Yes |
| View own session history | Yes | Yes |
| Use Analyser | Yes | Yes |
| Access configurable sections (Agents, Traces, Logs, Eval, Session, Prompts, MCP Debug) | All | Per-user toggle |
| Access admin-only sections (Analytics, Cost Control, AgentGuard, Intelligence) | Yes | No |
| Register/edit/delete agents | Yes | No |
| Invite/manage users | Yes | No |
| Change user roles | Yes | No |
| Configure billing & subscription | Yes | No |
| Set section access for users | Yes | No |
| Configure per-agent user access | Yes | No |
| Manage API keys | Yes | No |
| Enable/disable AgentGuard | Yes | No |
| Configure firewall rules | Yes | No |
Choosing the Right Role
| Scenario | Recommended Role |
|---|---|
| Team lead who manages agents and users | Tenant Admin |
| Developer who needs to debug and test agents | Tenant User with Traces, Logs, Eval, MCP Debug enabled |
| Business user who only chats with agents | Tenant User with Agents and Session enabled |
| Security engineer who monitors safety | Tenant Admin (needs AgentGuard access) |
| External contractor with limited access | Tenant User with minimal sections + specific agent access |
| Data analyst reviewing usage patterns | Tenant Admin (needs Analytics and Cost Control) |
Tips for Beginners
- Every workspace needs at least one Tenant Admin — without one, no one can manage users or agents.
- Start restrictive, then open up — Give new users the Tenant User role with minimal sections. Add access as they need it.
- Admin is powerful — Admins can manage billing, delete users, and access all data. Only promote users you trust.
- Role changes are instant — When you change someone's role, the effect is immediate on their next page load.