Skip to main content

Roles Overview

ZeroTwo uses role-based access control (RBAC) to manage what team members can do within projects. Each role has specific permissions that balance collaboration with security.
Roles apply at the project level. A user can have different roles in different projects.

Default Roles

ZeroTwo provides four built-in roles with predefined permissions.
Full project controlThe project creator automatically becomes the Owner.Permissions:
  • ✅ All Admin permissions
  • ✅ Transfer ownership
  • ✅ Delete project
  • ✅ Change project billing
  • ✅ Cannot be removed from project
Best for: Project creator, primary stakeholder
Each project has exactly one Owner. Ownership can be transferred to another Admin.

Guest Role (Enterprise)

Temporary external access
Guest role is available on Team and Enterprise plans for external collaboration.
Guest capabilities:
  • 👀 View specific conversations (assigned by Admin)
  • 💬 Comment on assigned conversations (if enabled)
  • 📥 Download specific files (if allowed)
  • ⏱️ Time-limited access (expires automatically)
Guest restrictions:
  • ❌ Cannot see full project
  • ❌ Cannot create new conversations
  • ❌ Cannot access other project resources
  • ❌ Cannot use AI models directly
  • ❌ No access after expiration
Best for: Clients, contractors, external reviewers

Permissions Matrix

Complete breakdown of what each role can do.
PermissionOwnerAdminEditorViewerGuest
Content
View conversationsLimited
Create conversations
Edit own conversations
Edit others’ conversations
Delete own conversations
Delete others’ conversations
Comment on conversationsOptionalOptional
Files
View filesLimited
Upload files
Delete own files
Delete others’ files
Download filesLimited
Organization
Create folders
Rename folders
Delete folders
Move conversations
Tools & AI
Use AI models
Use Canvas
Use Web Search
Use Code Interpreter
Use integrations
Assistants
Use project assistants
Create assistants
Edit assistants
Delete assistants
Sharing
Share conversationsOptional
Share filesOptional
Generate share linksOptional
Team Management
View members
Invite members
Remove members
Change member roles
Invite guests
Project Settings
View settingsLimitedLimited
Edit project details
Configure tools
Custom instructions
Manage integrations
Privacy settings
Archive project
Delete project
Transfer ownership
Billing
View billing
Manage billing

Assigning Roles

How to set roles for team members.

When Inviting New Members

1

Open invite dialog

Click Invite Members in the project settings or members panel
2

Enter email addresses

Add one or more email addresses (comma-separated)
[email protected], [email protected]
3

Select role

Choose the appropriate role from the dropdown:
  • Admin - For project managers
  • Editor - For active contributors (default)
  • Viewer - For observers
  • Guest - For temporary external access
4

Add optional message

Include a personal message with the invitation
Welcome to the Marketing Campaign project! This will be our main 
workspace for Q1 initiatives.
5

Send invitation

Click Send Invites to notify team members

Changing Existing Member Roles

1

Open members panel

Go to Project Settings > Members or click the members icon in the header
2

Find the member

Locate the team member whose role you want to change
3

Click role dropdown

Click the current role badge next to their name
4

Select new role

Choose the new role from the dropdown
Role changes take effect immediately. The member will be notified of the change.
5

Confirm change

Click Update Role to apply
The member’s permissions are updated instantly.

Custom Roles (Enterprise)

Create roles tailored to your organization’s needs.
Custom roles are available on Enterprise plans only.

Creating Custom Roles

1

Open role management

Organization Settings > Roles & Permissions
2

Click Create Custom Role

Click + New Custom Role
3

Name and describe

Role Name: Content ReviewerDescription: Can view and comment on content but not create new conversations
4

Configure permissions

Select specific permissions:Content Permissions:
  • ✅ View conversations
  • ✅ Comment on conversations
  • ❌ Create conversations
  • ❌ Edit conversations
File Permissions:
  • ✅ View files
  • ✅ Download files
  • ❌ Upload files
  • ❌ Delete files
Other Permissions:
  • ✅ View members
  • ❌ Manage settings
5

Save and apply

Save the custom role - it’s now available when inviting or updating members

Example Custom Roles

Purpose: Review and provide feedback without creating contentPermissions:
  • View all content
  • Comment and suggest edits
  • Download files
  • No creation or deletion
Use case: Content approval workflow, quality assurance
Purpose: Create content with restricted capabilitiesPermissions:
  • Create and edit own conversations
  • Upload files
  • Use basic tools only (no integrations)
  • Cannot delete
Use case: Junior team members, interns, contractors
Purpose: Manage connections without full admin accessPermissions:
  • Configure integrations
  • Manage API keys
  • View all content
  • Cannot manage members or billing
Use case: Technical leads, DevOps team members
Purpose: Design and manage AI assistantsPermissions:
  • Create and edit assistants
  • Test assistant configurations
  • View usage analytics
  • Cannot manage project settings
Use case: Prompt engineers, AI specialists

Permission Scopes

Understanding how permissions work in different contexts.

Project-Level Permissions

Apply to all content within the project:
  • Conversations
  • Files
  • Folders
  • Assistants
  • Settings
Example: An Editor can create conversations anywhere in the project.

Content-Level Permissions

Apply to specific conversations or files:
  • Own content: Full control over your own creations
  • Others’ content: Limited by role (Editors can’t edit others’ work)
  • Shared content: Permissions set by sharer
Example: Editor can edit their own conversations but not others’.

Tool-Level Permissions

Control access to specific features:
  • AI models
  • Canvas
  • Web search
  • Code interpreter
  • Integrations
Configuration: Project Settings > Tools & Features

Organization-Level Permissions (Enterprise)

Apply across all projects in the organization:
  • User management
  • Billing and subscriptions
  • Organization settings
  • SSO configuration
  • Audit logs
Managed by: Organization Admins

Access Control Best Practices

Start restrictive, expand as needed:Do:
  • Start with Viewer role for new members
  • Grant Editor only when needed
  • Limit Admin role to essential members
  • Regular audit of permissions
Don’t:
  • Give everyone Admin access
  • Leave default roles too permissive
  • Forget to review access regularly
Most team members need only Editor access for day-to-day work.
Match roles to responsibilities:Owners (1 per project):
  • Project sponsor
  • Department head
  • Primary stakeholder
Admins (2-3 per project):
  • Project manager
  • Team lead
  • Technical lead
Editors (most of team):
  • Developers
  • Designers
  • Content creators
  • Regular contributors
Viewers (as needed):
  • Stakeholders
  • Other departments
  • Executives reviewing progress
Guests (temporary):
  • Clients
  • External consultants
  • One-off reviewers
Monthly review checklist:
  • Remove inactive members
  • Verify Guest access hasn’t expired
  • Check if any Viewers should be upgraded
  • Ensure Admins are still appropriate
  • Review custom role usage (Enterprise)
  • Update access based on role changes
Quarterly deep review:
  • Comprehensive access audit
  • Permission alignment with org structure
  • Update access policies
  • Document changes
For confidential projects:
  1. Strict member list: Only essential team members
  2. No Guests: Disable guest access entirely
  3. Limited sharing: Disable external sharing
  4. Admin approval: Require Admin approval for new members
  5. Audit logging: Enable comprehensive logs (Enterprise)
  6. Two-factor: Require 2FA for all members
Settings: Project Settings > Privacy & Security

Permission Conflicts

Resolving permission issues and conflicts.

Inheritance and Precedence

Permission hierarchy (most restrictive wins):
  1. Organization policy (Enterprise)
  2. Project settings
  3. Role permissions
  4. Content-specific permissions
Example: 
Organization: Sharing disabled globally
Project: Sharing enabled
User Role: Editor (can share)

Result: User CANNOT share (org policy overrides)

Common Permission Scenarios

Possible reasons:
  • Conversation created by another user (and you’re not Admin)
  • Project is archived
  • Your role was downgraded
  • Content is locked by Admin
Check:
  • Your current role
  • Conversation owner
  • Project status
  • Ask Admin for clarification

Security and Compliance

Permission-related security features.

Audit Logs (Enterprise)

Track all permission changes and access: Logged events:
  • Role changes
  • Member additions/removals
  • Permission grants/revocations
  • Failed access attempts
  • Sensitive actions
Access logs: Organization Settings > Security > Audit Logs

Two-Factor Authentication

Require 2FA for specific roles: Configuration:
  • All members: Organization-wide requirement
  • Admins only: Admin/Owner 2FA required
  • Sensitive projects: Project-level 2FA requirement
Setup: Organization Settings > Security > 2FA Policy

Session Management

Control how long sessions remain active: Settings:
  • Session timeout: Auto-logout after inactivity
  • Maximum session duration: Hard session limit
  • Device management: See and revoke active sessions

Next Steps

Invite Team Members

Add collaborators to your project

Share Content

Share conversations and documents

Organization Settings

Configure organization-wide settings

Project Security

Learn about data security and compliance
Proper role management ensures secure collaboration while enabling team productivity!