Roles & Permissions
Control what users can access and do in Hublvu.
Permission Model
Hublvu uses role-based access control (RBAC):
- Roles define sets of permissions
- Users are assigned roles directly or through groups
- Groups can have roles assigned, inherited by all members
Built-in Roles
| Role | Description |
|---|---|
| Viewer | Read-only access to flows, guides, runs, and insights |
| User | Standard access; can create and run flows and guides |
| Power User | Extended access; can configure knowledge and settings |
| Admin | Full access to all features including user management |
Role Capabilities
Viewer
- View flows, guides, and runs
- View insights
- Access chat (read-only responses)
- View knowledge
User
- Everything Viewer can do, plus:
- Create and edit personal flows and guides
- Run flows and guides
- Create insights
- Upload knowledge (if enabled)
Power User
- Everything User can do, plus:
- Manage team flows and guides
- Configure quick actions
- Manage knowledge base
- View analytics
Admin
- Everything Power User can do, plus:
- User and group management
- Security settings
- Audit logs
- System configuration
- Integration management
- Agent configuration
Assigning Roles
To Individual Users
- Go to User Management
- Select a user
- In user details, set the Role
- Save
Through Groups
- Go to Group Management
- Select or create a group
- Configure group permissions
- Add users to the group
Users inherit permissions from all groups they belong to.
Agent Access
Control which AI agents users can access.
What Are Agents
Hublvu has several built-in agents:
- Chat Agent — Conversational assistant
- Flow Agent — Executes flows
- Guide Agent — Runs guides
- Insight Agent — Creates data explorations
- Assistant Agent — Provides help
Configuring Agent Access
Agent access is controlled at the group level:
- Go to Group Management
- Open a group
- Go to Agent Access tab
- Enable/disable agents for this group
- Save
Users can only use agents their groups allow.
Tool Operations
Each agent has tool operations it can perform:
| Operation | Risk Level | Description |
|---|---|---|
| READ_DATA | Low | Read information from systems |
| WRITE_DATA | Medium | Create or modify data |
| EXECUTE_QUERIES | Medium | Run queries against systems |
| READ_LOGS | Low | Access log data |
| DELETE_DATA | High | Remove data |
| ADMIN_SYSTEM | High | Administrative operations |
Configure which operations each group can perform.
SSO Role Mapping
Map roles from your identity provider to Hublvu roles.
Why Map Roles
If you use SSO, your identity provider sends role information. Role mapping automatically assigns Hublvu roles based on external roles, eliminating manual role assignment.
Configuring Mappings
- Go to Role Mapping
- Click Add Mapping
- Configure:
- External role name (from your IdP)
- Hublvu role to assign
- Save
Multiple Mappings
You can create multiple mappings:
- Different external roles → Different Hublvu roles
- Multiple external roles → Same Hublvu role
Priority
If a user matches multiple mappings, they receive the highest-privilege role.
Viewing Effective Permissions
To see what a user can actually do:
- Go to User Management
- Select a user
- Click View Effective Permissions
This shows the combined permissions from:
- Direct role assignment
- Group memberships
- SSO role mappings
Best Practices
Assign new users the Viewer role initially. Upgrade as needed based on their responsibilities.
Create groups that match your team structure. Assign permissions to groups, then add team members.
Periodically review who has Admin and Power User access. Remove elevated permissions when no longer needed.
If you create custom permission configurations, document what each group is for and why it has specific permissions.
Related Topics
- User Management — Manage users and groups
- Security Settings — SSO configuration
- Agents — AI agent configuration