Roles and Access Control
Types of Users available when onboarding users to the Digital Twin Platform
Quick Reference
| Role | Best for | Personal Twin | Custom Twins | Admin Console |
|---|---|---|---|---|
| User | Most employees needing a personal twin | ✅ | ✅ | ❌ |
| Light User | Broad rollouts of governed custom twins | ❌ | Interact only | ❌ |
| Data Analyst | Analytics/ops stakeholders | ✅ | View only | Analytics only |
| Setup Admin | IT / platform setup admins | ✅ | ✅ Manage all | Partial |
| Org Admin | Org-wide operational control | ✅ | ✅ Manage all | Full |
| Super Admin | Governance, compliance, and audit | ✅ | ✅ Manage all | Full + Audit |
End-User Roles
User
The default role for employees who should have the full personal Digital Twin experience.
What it unlocks:
- Chat with their own personal/self Digital Twin
- Chat with Digital Twins of colleagues they have access to
- Create a Digital Twin for themselves
- Create Digital Twins for employees they manage (where applicable)
- Use the Agents / Prompt Builder and save personal prompts
Assign to: Any employee you want to give the complete Digital Twin experience — synced documents, personal chat, and self-knowledge management.
Light User
A consumption-only tier designed for broad rollouts where the goal is access to one or more curated Custom Twins (e.g., an HR policy bot, onboarding guide, or enablement assistant) without provisioning a personal twin for every user.
What it unlocks:
- Chat with Expert / Custom Twins they've been granted access to
- Get grounded answers from the curated content in those twins
What it does not unlock:
- No personal/self-twin chat
- No document ingestion (documents are not synced for Light Users)
- Cannot create or manage Custom Twins
Assign to: Users who only need to query a governed Custom Twin (e.g., a company-wide policy bot or training assistant) and don't need a personal twin experience. Ideal for large-scale rollouts where full-user seats are not needed for every employee.
Data Analyst
A read-only role scoped exclusively to aggregated usage analytics across the organization.
What it unlocks:
- View org-wide analytics and usage metrics across all Digital Twins (
perm_dt_analytics_org_wide)
What it does not unlock:
- No access to raw content, document stores, or individual twin conversations
- No Admin Console management surfaces
Assign to: Analytics, operations, or L&D stakeholders who need visibility into adoption and usage data but should not have access to any personal content or conversations.
Admin Roles
Setup Admin
An IT or platform admin role designed for the people responsible for onboarding, configuring, and maintaining the Digital Twin deployment — without granting them full organizational governance powers.
What it unlocks (Admin Console surfaces):
- Manage employees (add, edit, remove)
- Manage enterprise data sources
- Manage privacy settings and restrictions
- Manage ingestion configurations
- Create, edit, publish, or trigger ingestion for any bot
- Manage API tokens
- Optionally: Manage Agent/Prompt Gallery org templates
What it does not unlock:
- No access to private twin conversations (unless explicitly shared)
- No org-admin governance operations (e.g., cannot add/remove other org admins)
- No audit log access
Assign to: IT administrators, platform engineers, or designated "Digital Twin owners" at the department or org level who are responsible for setting up connectors, managing users, and keeping the system running — but who do not need compliance-level oversight.
Org Admin
The operational "keys to the kingdom" role for an organization. Org Admins can manage all aspects of the platform and all bots across the org.
What it unlocks:
- All Setup Admin capabilities
- Org-admin operations including managing other org admins
- Org-wide bot management: create, edit, publish, trigger ingestion for any bot
- Org-wide analytics access
- Manage employees, data sources, privacy, ingestion
- Manage API tokens and MCP Sources
Assign to: A small number of trusted individuals who are responsible for the overall health and configuration of the Digital Twin platform. This is the primary "platform owner" role.
Super Admin
The highest-governance role, focused on compliance, oversight, and audit — rather than day-to-day operational control.
What it unlocks:
- Full Admin Console access
- View audit logs across all Digital Twins
- View org-wide analytics
- Governance and compliance oversight
Assign to: Compliance officers, security leads, or executives who need full visibility and audit access but may not be making day-to-day configuration changes. In most orgs, one or two individuals hold this role.
Org Admin vs. Super Admin: Think of Org Admin as the operational admin (manages bots, users, and configuration) and Super Admin as the governance admin (audit logs, oversight, compliance). The two roles are complementary and can be held by different people.