> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Admin roles and security

> Understand global admin, automation admin, and scope admin permissions, usage visibility, and how CodeRabbit Agent for Slack keeps private conversation knowledge isolated.

export const Hint = ({type, children, headline, tip, href, cta}) => {
  const TIPS = {
    learnings: {
      headline: "Learnings",
      tip: "Review preferences CodeRabbit learns from your chat conversations and applies automatically to future reviews.",
      cta: "Learn about Learnings",
      href: "/knowledge-base/learnings",
      content: "Learnings"
    },
    walkthrough: {
      headline: "PR Walkthrough",
      tip: "A structured comment posted by CodeRabbit at the top of every pull request, summarizing changes, sequence diagrams, review effort, and more.",
      cta: "Learn about PR Walkthroughs",
      href: "/pr-reviews/walkthroughs",
      content: "Walkthrough"
    },
    "finishing-touches": {
      headline: "Finishing Touches",
      tip: "Post-review agentic actions (Autofix, writing docstrings or unit tests, and more) you trigger from a PR comment or a checkbox in the Walkthrough.",
      cta: "See all Finishing Touches",
      href: "/finishing-touches",
      content: "Finishing Touches"
    },
    "coding-plan": {
      headline: "Coding Plan",
      tip: "A detailed, codebase-aware implementation plan CodeRabbit generates from an issue or description, ready to hand off to any coding agent.",
      cta: "Learn about Coding Plans",
      href: "/plan",
      content: "Coding Plan"
    },
    "knowledge-base": {
      headline: "Knowledge Base",
      tip: "The collected context sources CodeRabbit draws on during reviews: Learnings, Code Guidelines, issue trackers, connected MCP servers, and cross-repo analysis.",
      cta: "Explore the Knowledge Base",
      href: "/knowledge-base",
      content: "Knowledge Base"
    },
    "path-instructions": {
      headline: "Path Instructions",
      tip: "Custom review rules that only apply to files matching a glob pattern, e.g. 'src/controllers/**'.",
      cta: "Configure path instructions",
      href: "/configuration/path-instructions",
      content: "Path Instructions"
    },
    "coderabbit-review": {
      headline: "CodeRabbit Review",
      tip: "An improved code inspection interface that reorganizes a pull request from a flat file list into a structured, layer-by-layer walkthrough with range-specific summaries and diagrams.",
      cta: "Learn about CodeRabbit Review",
      href: "/pr-reviews/coderabbit-review",
      content: "CodeRabbit Review"
    },
    scope: {
      headline: "Scope",
      tip: "A named set of repositories, connections, and spend limits that controls what CodeRabbit Agent can access in a given Slack conversation.",
      cta: "Learn about Scopes",
      href: "/slack-agent/scopes",
      content: "Scope"
    },
    "coderabbit-agent": {
      headline: "CodeRabbit Agent for Slack",
      tip: "An AI agent built into Slack that investigates issues, generates implementation plans, and opens pull requests right from the Slack threads.",
      cta: "Explore CodeRabbit Agent",
      href: "/slack-agent",
      content: "CodeRabbit Agent"
    },
    "configuration-inheritance": {
      headline: "Configuration Inheritance",
      tip: "A setting that merges configuration values across multiple levels — repository YAML, central YAML, and UI settings — instead of using only the highest-priority source.",
      cta: "Learn about Configuration Inheritance",
      href: "/configuration/configuration-inheritance",
      content: "Configuration Inheritance"
    }
  };
  const defaults = TIPS[type] || ({});
  return <Tooltip headline={headline ?? defaults.headline} tip={tip ?? defaults.tip} cta={cta ?? defaults.cta} href={href ?? defaults.href}>
      {children ?? defaults.content}
    </Tooltip>;
};

Control who can configure, who can see, and what stays private. CodeRabbit Agent for Slack uses both Slack-native admin status and CodeRabbit-specific roles. Everyone in the workspace can sign in, but elevated access is required for workspace-wide settings and some web app surfaces.

## Global, automation and scope admins

### Global admins

Global admins are the people who can manage the workspace as a whole.

They include:

* Native Slack admins
* Slack workspace owners and primary owners
* Users with the CodeRabbit `cr_admin` override

### Automation admins

Automation admins are CodeRabbit Agent users who can help manage automations without receiving full workspace-admin access. Workspace admins assign this role from **Workspace Users**.

When Automation admin management is enabled, Automation admins can view automation admin surfaces and manage same-workspace automations. Any linked workspace user can create automations, but Automation admins can manage more than their own created automations when this setting is enabled. They cannot manage the full workspace, reset workspace connections, manage users, or administer scopes unless they also have another role that grants those permissions.

### Scope admins

<Hint type="scope">Scope</Hint> admins can manage only the scopes assigned to them. They can tune repositories, connections, spend settings, and channel targeting for those scopes, but they cannot manage the full workspace or admin-only web surfaces such as Automations, Sandboxes, or workspace user management.

<Info>
  Scope admins cannot edit the Base Scope. The Base Scope remains reserved for global admins, although scope admins can still view it in read-only mode.
</Info>

## What each role can do

<Info>
  Global admins have full access to all workspace actions and settings. Every action listed in the table below is always available to global admins regardless of any other configuration.
</Info>

| Action                                                  | Automation admin                                 | Scope admin         | Member                   |
| ------------------------------------------------------- | ------------------------------------------------ | ------------------- | ------------------------ |
| Sign in and access the UI                               | Yes                                              | Yes                 | Yes                      |
| View the Connections page                               | Yes                                              | Yes                 | Yes                      |
| Create or edit connections                              | No                                               | Yes                 | No                       |
| Create or delete scopes                                 | No                                               | No                  | No                       |
| View the Base Scope                                     | No                                               | Yes                 | No                       |
| Edit the Base Scope                                     | No                                               | No                  | No                       |
| Edit assigned scopes                                    | No                                               | Yes                 | No                       |
| Create automations                                      | Yes                                              | Yes                 | Yes                      |
| Edit, pause, resume, or delete automations              | Yes, when Automation admin management is enabled | No                  | Created automations only |
| Run immediately or stop a running channel automation    | Yes (channels only)                              | Yes (channels only) | Yes (channels only)      |
| Access the Sandboxes page in the web app                | No                                               | No                  | No                       |
| Manage workspace users or other workspace-wide settings | No                                               | No                  | No                       |
| Reset the workspace GitHub connection                   | No                                               | No                  | No                       |

## Account Settings and account removal

The [Account Settings](https://agent.coderabbit.ai/account-settings) page is visible only to workspace (global) admins. Account Settings includes workspace-wide controls such as resetting the GitHub connection and permanently removing the CodeRabbit Agent account.

<Danger>
  Only workspace admins can access the **Danger Zone** controls in Account Settings, including **Delete account**. If you need to remove the account, sign in as a workspace admin before opening that page.
</Danger>

## Workspace activity visibility

Usage visibility is role-aware.

| Viewer           | What they can see                                                                                           |
| ---------------- | ----------------------------------------------------------------------------------------------------------- |
| Global admin     | All workspace activity                                                                                      |
| Automation admin | Automation surfaces and activity available through automation management, plus their own activity elsewhere |
| Scope admin      | Activity for the scopes they manage, plus their own activity elsewhere                                      |
| Member           | Their own activity                                                                                          |

## Knowledge Base privacy

Knowledge follows Slack privacy boundaries.

| Slack surface                             | Knowledge behavior                        |
| ----------------------------------------- | ----------------------------------------- |
| Public channels and other shared surfaces | Use the global workspace Knowledge Base   |
| Private channels                          | Use a private conversation Knowledge Base |
| DMs and group DMs                         | Use a private conversation Knowledge Base |

Private knowledge can reference shared knowledge, but it should not be silently treated as shared workspace memory.

## Shared sandbox access

CodeRabbit Agent currently uses a shared workspace sandbox model rather than a private sandbox for every individual user.

That makes workspace governance important:

* Configuration changes affect the workspace environment
* Saved state can be reused across runs
* Admins should be deliberate about who can manage sandbox settings

## Good rollout practices

* Keep the Base Scope conservative at first
* Delegate scopes only where needed
* Review usage visibility before wider rollout
* Treat private channels and DM knowledge as materially different from shared workspace memory

## What's next

<CardGroup cols={1}>
  <Card title="Slack permissions" href="/slack-agent/slack-permissions" icon="key-round" horizontal>
    Review the Slack app and OAuth permissions CodeRabbit Agent requests and why they are needed.
  </Card>

  <Card title="Usage" href="/slack-agent/usage" icon="bar-chart-3" horizontal>
    See what activity global admins, scope admins, and other members can inspect after rollout.
  </Card>

  <Card title="Sandboxes" href="/slack-agent/sandboxes" icon="box" horizontal>
    Understand the shared sandbox model and how workspace-level execution state is managed.
  </Card>
</CardGroup>
