Access control

Braintrust provides flexible access control at organization, project, and object levels. Use permission groups to grant users specific permissions across resources.

​

Built-in permission groups

Every organization starts with three permission groups:

• Owners: Full access to organization, data, and settings. Can invite/remove members, manage permissions, and delete resources
• Engineers: Can create, read, update, and delete projects and resources. Cannot manage members or access controls
• Viewers: Read-only access to projects and resources. Cannot create, update, or delete anything

These groups are scoped to the entire organization. Assign users to built-in groups when inviting them or from Settings > Members.

​

Create custom permission groups

Build groups with specific permissions:

1. Go to Settings > Organization > Permission groups.
2. Click Create permission group.
3. Enter group name and description.
4. Click Create.

After creating a group, configure its permissions.

​

Set organization permissions

Grant organization-level permissions to custom groups:

1. Find the group in the permission groups list.
2. Click Permissions.
3. Select organization-level permissions:
   • Manage settings: Change organization configuration.
   • Manage members: Invite users.
   • Remove members: Remove users.
   • Manage access: Grant and revoke permissions (super-user ability).
4. Select permissions for all projects:
   • Read: View projects and their resources.
   • Create: Create experiments, logs, datasets.
   • Update: Modify existing resources.
   • Delete: Remove resources.
   • Manage access: Grant permissions on projects.
5. Click Save.

​

Set project permissions

Limit group access for a specific project, including object-level permissions:

1. Create a custom permission group.
2. In your project, go to Settings > Project > Project permissions.
3. Search for your group.
4. Click the pencil icon next to the group.
5. Select project permissions:
   • Read: View project and its resources.
   • Create: Create experiments, logs, datasets.
   • Update: Modify existing resources.
   • Delete: Remove resources.
   • Manage access: Grant permissions on this project.
6. Select object-level permissions for experiments, datasets, logs, prompts, and playgrounds:
   • Create: Create the object.
   • Read: View the object.
   • Update: Modify the object.
   • Delete: Remove the object.
   • Manage access: Grant permissions on this object.
7. Click Save.

Users must have Read permission on a project to see it in the UI.

​

Manage group membership

Add or remove users from permission groups:

1. Go to Settings > Organization > Permission groups.
2. Find the group in the permission groups list.
3. Click Group access.
4. Click Users.
5. To add: Search for users and click Add.
6. To remove: Click the X next to a user’s name.

Users can belong to multiple permission groups. Their effective permissions are the union of all group permissions.

​

Use service accounts

Service accounts provide credentials for system integrations:

1. Go to Settings > Organization > Service tokens.
2. Click + Service token.
3. Enter service account name.
4. Assign permission groups or grant specific permissions.
5. Click Create.
6. Copy and save the auto-generated service token somewhere safe and accessible. For security reasons, you will not be able to view it again. If you lose the service token, you must create a new one.
7. Use the token like an API key in SDK or API calls.

Service accounts are not tied to individual users. They maintain access even when team members leave.

​

Programmatic access control

To automate the creation of permission groups and their access control rules, use the Braintrust API. See the API reference for groups and permissions.

​

Next steps

• Manage organizations to invite members and assign groups
• Manage projects to configure project-level permissions
• Set up automations with service accounts
• API reference for programmatic access control