Overview
Your permissions in elvex are determined by four factors: your company-wide role, whether a resource is public or private, any specific access you've been granted to individual agents or datasources, and your membership in groups.
Quick Reference
Need to share with your whole company? → Set visibility to Public
Need to share with specific people? → Add them in Security & Permissions
Need to share with a team? → Create a group and share with the group
Need someone to help edit? → Give them Editor role
Can't see an agent you should have access to? → Check if it's set to Private and ask the owner to share it with you
Company-wide roles
When you're invited to elvex, your administrator selects a role which can be a Member, Creator, or Admin. Consumer is a historical role that still exists for some users. Your role determines your permissions across elvex, but works in tandem with specific roles you may have been granted on an Agent or Datasource.
Feature / Permission | Consumer | Member | Creator | Admin | Owner |
|
View & use agents | ✅ | ✅ | ✅ | ✅ | ✅ |
|
Create new agents | ❌ | ✅ | ✅ | ✅ | ✅ |
|
Edit/delete agents | ❌ | ✅ | ✅ | ✅ | ✅ |
|
Share agents | ❌ | ❌ | ✅ | ✅ | ✅ |
|
View datasources | ✅ | ✅ | ✅ | ✅ | ✅ |
|
Create new datasources | ❌ | ✅ | ✅ | ✅ | ✅ |
|
Edit/delete datasources | ❌ | ✅ | ✅ | ✅ | ✅ |
|
Share datasources | ❌ | ❌ | ✅ | ✅ | ✅ |
|
+ Create/manage groups | ❌ | ✅ | ✅ | ✅ | ✅ |
|
View/edit company info | ❌ | ❌ | ❌ | ✅ | ✅ |
|
Invite others to company | ❌ | ❌ | ❌ | ✅ | ✅ |
|
Edit global AI filters | ❌ | ❌ | ❌ | ✅ | ✅ |
|
Add/edit AI providers | ❌ | ❌ | ❌ | ✅ | ✅ |
|
Configure integrations (e.g. Slack) | ❌ | ❌ | ❌ | ✅ | ✅ |
|
Use/view/edit/delete ALL agents (ignore visibility) | ❌ | ❌ | ❌ | ❌ | ✅ |
|
Use/view/edit/delete ALL datasources (ignore visibility) | ❌ | ❌ | ❌ | ❌ | ✅ |
|
Agent and Datasource Visibility
Agents and Datasources have a Visibility setting which can either be:
Private: Only you, company Owners, users you explicitly share with, and groups you share with can use or edit it.
Public: Everyone in your company will be able to see and use this Agent or Datasource but only editors will be able to modify it.
By default, all new Agents and Datasources have their visibility set to Private.
⚠️ Important Security Consideration
Public agents can access private datasources, which creates a potential security loophole:
When you share a private datasource with someone, they can attach it to any agent they create, including public ones.
Example scenario:
You share a private HR datasource with John
John creates a public agent and connects your HR datasource
Now everyone in your company can query HR data through John's public agent
Best practice: Only share private datasources with trusted users or groups, or consider making datasources public if they should be widely accessible.
Groups
Groups allow you to organize users into teams and manage resource access at the group level. Instead of adding individual users to each resource, you can add them to a group and share resources with the entire group.
Group membership roles
Users within a group can have one of three roles:
Owner: Can edit group settings, manage all members, and delete the group
Editor: Can add and remove group members
Viewer: Can only view the group and its members
Group resource roles
When you share a resource with a group, the group receives either:
Editor: Group members can modify the resource
Viewer: Group members can view and use the resource
Permission hierarchy
If a user has access to a resource through both individual permissions and group membership, the highest privilege role wins.
Example:
Sarah has Viewer access to an agent through individual permissions
Sarah is in the Marketing group, which has Editor access to the same agent
Sarah will have Editor access (the higher privilege)
Learn more: What are Groups and how do they work?
FAQs
How do I share an agent or datasource with my entire company?
Modify the Visibility of the agent or datasource and set it to Public. This will effectively give all users within your company Viewer access to this agent or datasource allowing them to use it, but not modify it.
How do I share an agent or datasource with a team?
Create a group for your team, add the team members, then share the resource with the group. This is more efficient than adding users individually, especially when managing multiple resources.
Learn more: How to create and manage groups
How do I share an agent or datasource with someone?
For agents:
Open the agent you want to share
Expand Security & Permissions
Click Add user (or Add group) and search by name or email
Select their role (Viewer or Editor)
Click Save
For datasources:
Open the datasource you want to share
Scroll to Permissions
Click Add user (or Add group) and search by name or email
Select their role (Viewer or Editor)
Click Save
Where do I go to modify agent or datasource permissions?
For agents, expand the Security & Permissions setting. For datasources, scroll to Permissions.
How does elvex determine the owner of an agent or datasource?
The owner of an agent or datasource is always the person that created that agent or datasource, unless ownership has been transferred to another user.
How do I transfer ownership of an agent or datasource?
This is currently only supported via a support request to [email protected] but we'll soon allow owners to transfer ownership. Alternatively, a team member can copy the agent or datasource and make their own version.
What happens if someone clones an agent that was connected to a private datasource?
The answer here depends on what access the user cloning the agent has to the underlying datasource. If the user has access to the datasource via Viewer, Editor or Owner roles (either individually or through a group), the cloned agent will contain a connection to the original datasource. If the user cloning the agent does not have access to the datasource, they will create an agent with identical configuration to that of the initial agent, but the cloned agent will not have access to the original datasource. The agent creator will have to request access to the datasource.
What is the default visibility for new agents or datasources?
All new agents or datasources default to their visibility set to private.
Do requests made via private agents still show in the audit log?
For now, yes, both private and public agents still show their requests and responses in the elvex audit log. This means administrators can currently see all conversation content, even from private agents. In a subsequent release, we plan to change this behavior so that admins can see that private agent requests were made, but not see the detail of the request or response of that private agent. This is an area we're open to feedback on so if you have thoughts, please let us know at [email protected]
Can I use private agents via Slack?
Yes, but with some caveats. Setting your agent's visibility to Private means that you cannot set Slack permissions to "All Slack users" as this would potentially allow non-authorized users to use your agent and its connected datasources. Private agents can only have the "Match elvex permissions" setting enabled for Slack which effectively means that you can only use Private agents via direct messages in Slack.
Can I use private agents via the API?
Yes. You can add an API user to a private agent giving that user only the ability to see that agent.
While you can assign either the Viewer or Editor role to an API user, it currently doesn't make much of a difference as API users cannot edit agents via the API.