SECURITY4 min read
Role-based Access Control
Managing user permissions and roles within your organization
Overview
Conexor uses a simple role-based access control system with two roles: Admin and Member. Each organization manages its own users and permissions.
Roles
Admin
Full access to all organization resources
- Manage all agents, data sources, tools, and servers
- Invite and remove team members
- Change user roles
- Access billing and subscription settings
- View audit logs
- Configure organization settings
Member
Standard access to organization resources
- View all agents, data sources, tools, and servers
- Create and edit tools
- Create and configure MCP servers
- View usage statistics
- Cannot manage users or billing
Managing Users
Admins can manage users from the Users page in the dashboard:
- Invite users - Send invitations by email
- Change roles - Promote to Admin or demote to Member
- Reset passwords - Reset a user's password
- Remove users - Remove access from the organization
INFOEvery organization must have at least one Admin. You cannot remove the last Admin.
Multi-tenancy
Each organization is completely isolated from others. Users can only access resources within their own organization. This is enforced at the database level with organization_id filtering on all queries.
API Keys vs Users
API keys have their own permission model:
- Agent API keys - Can only execute queries on assigned data sources
- MCP Server API keys - Can only call tools assigned to that server
- OAuth clients - Permissions defined by granted scopes