> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Provision service account access with permission groups

export const plans_0 = "Any"

export const deployments_0 = "Any"

export const data_plane_version_0 = undefined

export const use_case_0 = "Use case - Understanding where roles live in the UI and how to provision service account access to specific projects using permission groups and service tokens"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

**Goal:** Find and configure role-based access control in the Braintrust UI.

**Features:** Permission groups, service tokens, project-scoped access, Members page.

## Configuration steps

### Step 1: Locate permission groups

In Braintrust, "roles" are called **Permission groups**. Navigate to **Settings → Organization → Permission groups**.

Built-in groups: **Owners**, **Engineers**, **Viewers**. Custom groups appear on the same page.

### Step 2: View user group assignments

To see which groups are assigned to users, go to **Settings → Organization → Members**.

### Step 3: Create a permission group for a service token

Before creating a service token, create a permission group scoped to the target projects.

1. Go to **Settings → Organization → Permission groups**
2. Create a new group and set project-level permissions

> A global permission group grants global access. A project-scoped group restricts the token to those projects only.

### Step 4: Create a service token and attach the group

1. Go to **Settings → Organization → Permission groups → Service tokens**
2. Create a service token and attach it to the permission group created in Step 3

The token inherits all permissions from its assigned group.

### Step 5: Add a service account directly to a project (optional)

You can also add a service account directly to a project via the project settings UI. The service token must still be attached to a permission group for proper scoping.

## Reference

* [Access control documentation](https://www.braintrust.dev/docs/admin/access-control)
