Skip to main content
Commons uses a two-tier permission system: organization-level roles that govern overall access, and workspace-level roles that control what users can do within specific workspaces.

Organization Roles

Every user in your organization has one of three roles that determine their baseline permissions.
RoleInvite UsersCreate Workspaces & FoldersWorkspace AccessView Activity Logs
AdministratorYes, at any role level.Yes.Full access to all workspaces (public and private).All organization activity logs.
ManagerYes, as Manager or Member only.Yes.Can join any public workspace; must be invited to private ones.Logs from workspaces they’re members of.
MemberNo.No.Can join any public workspace; must be invited to private ones.Logs from workspaces they’re members of.
Aditionally, one administrator holds the Billing Manager role, which grants them control over billing and subscription settings. By default, this is the organization creator. This role can be transferred to another administrator at any time. Activity logs include events like integrations being connected and generic data access fingerprints (which app’s tools were used and when). Every user also has private invocation logs for each Agent Key with detailed records of tool inputs & outputs — only they can see their own invocation logs. See the Logging page for more details.

Workspace Roles

Within each workspace, users have one of two roles. Note that workspace roles are independent of organization roles — even an organization member can be a workspace owner.
RoleModify SettingsCreate IntegrationsConnect to Per-User Integrations
OwnerYes.Yes.Yes.
MemberNo.No.Yes.
Note: Organization administrators always have full access to all workspaces regardless of their workspace role. They can modify settings and create integrations even if they’re only listed as a workspace member.