Skip to main content
Control who can configure, who can see, and what stays private. CodeRabbit Agent for Slack uses both Slack-native admin status and CodeRabbit-specific roles. Everyone in the workspace can sign in, but elevated access is required for workspace-wide settings and some web app surfaces.

Global, automation and scope admins

Global admins

Global admins are the people who can manage the workspace as a whole. They include:
  • Native Slack admins
  • Slack workspace owners and primary owners
  • Users with the CodeRabbit cr_admin override

Automation admins

Automation admins are CodeRabbit Agent users who can help manage automations without receiving full workspace-admin access. Workspace admins assign this role from Workspace Users. When Automation admin management is enabled, Automation admins can view automation admin surfaces and manage same-workspace automations. Any linked workspace user can create automations, but Automation admins can manage more than their own created automations when this setting is enabled. They cannot manage the full workspace, reset workspace connections, manage users, or administer scopes unless they also have another role that grants those permissions.

Scope admins

admins can manage only the scopes assigned to them. They can tune repositories, connections, spend settings, and channel targeting for those scopes, but they cannot manage the full workspace or admin-only web surfaces such as Automations, Sandboxes, or workspace user management.
Scope admins cannot edit the Base Scope. The Base Scope remains reserved for global admins, although scope admins can still view it in read-only mode.

What each role can do

Global admins have full access to all workspace actions and settings. Every action listed in the table below is always available to global admins regardless of any other configuration.
ActionAutomation adminScope adminMember
Sign in and access the UIYesYesYes
View the Connections pageYesYesYes
Create or edit connectionsNoYesNo
Create or delete scopesNoNoNo
View the Base ScopeNoYesNo
Edit the Base ScopeNoNoNo
Edit assigned scopesNoYesNo
Create automationsYesYesYes
Edit, pause, resume, or delete automationsYes, when Automation admin management is enabledNoCreated automations only
Run immediately or stop a running channel automationYes (channels only)Yes (channels only)Yes (channels only)
Access the Sandboxes page in the web appNoNoNo
Manage workspace users or other workspace-wide settingsNoNoNo
Reset the workspace GitHub connectionNoNoNo

Account Settings and account removal

The Account Settings page is visible only to workspace (global) admins. Account Settings includes workspace-wide controls such as resetting the GitHub connection and permanently removing the CodeRabbit Agent account.
Only workspace admins can access the Danger Zone controls in Account Settings, including Delete account. If you need to remove the account, sign in as a workspace admin before opening that page.

Workspace activity visibility

Usage visibility is role-aware.
ViewerWhat they can see
Global adminAll workspace activity
Automation adminAutomation surfaces and activity available through automation management, plus their own activity elsewhere
Scope adminActivity for the scopes they manage, plus their own activity elsewhere
MemberTheir own activity

Knowledge Base privacy

Knowledge follows Slack privacy boundaries.
Slack surfaceKnowledge behavior
Public channels and other shared surfacesUse the global workspace Knowledge Base
Private channelsUse a private conversation Knowledge Base
DMs and group DMsUse a private conversation Knowledge Base
Private knowledge can reference shared knowledge, but it should not be silently treated as shared workspace memory.

Shared sandbox access

CodeRabbit Agent currently uses a shared workspace sandbox model rather than a private sandbox for every individual user. That makes workspace governance important:
  • Configuration changes affect the workspace environment
  • Saved state can be reused across runs
  • Admins should be deliberate about who can manage sandbox settings

Good rollout practices

  • Keep the Base Scope conservative at first
  • Delegate scopes only where needed
  • Review usage visibility before wider rollout
  • Treat private channels and DM knowledge as materially different from shared workspace memory

What’s next

Slack permissions

Review the Slack app and OAuth permissions CodeRabbit Agent requests and why they are needed.

Usage

See what activity global admins, scope admins, and other members can inspect after rollout.

Sandboxes

Understand the shared sandbox model and how workspace-level execution state is managed.