> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coderabbit.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Admin roles and security
> Understand global admin, automation admin, and scope admin permissions, usage visibility, and how CodeRabbit Agent for Slack keeps private conversation knowledge isolated.
export const Hint = ({type, children, headline, tip, href, cta}) => {
const TIPS = {
learnings: {
headline: "Learnings",
tip: "Review preferences CodeRabbit learns from your chat conversations and applies automatically to future reviews.",
cta: "Learn about Learnings",
href: "/knowledge-base/learnings",
content: "Learnings"
},
walkthrough: {
headline: "PR Walkthrough",
tip: "A structured comment posted by CodeRabbit at the top of every pull request, summarizing changes, sequence diagrams, review effort, and more.",
cta: "Learn about PR Walkthroughs",
href: "/pr-reviews/walkthroughs",
content: "Walkthrough"
},
"finishing-touches": {
headline: "Finishing Touches",
tip: "Post-review agentic actions (Autofix, writing docstrings or unit tests, and more) you trigger from a PR comment or a checkbox in the Walkthrough.",
cta: "See all Finishing Touches",
href: "/finishing-touches",
content: "Finishing Touches"
},
"coding-plan": {
headline: "Coding Plan",
tip: "A detailed, codebase-aware implementation plan CodeRabbit generates from an issue or description, ready to hand off to any coding agent.",
cta: "Learn about Coding Plans",
href: "/plan",
content: "Coding Plan"
},
"knowledge-base": {
headline: "Knowledge Base",
tip: "The collected context sources CodeRabbit draws on during reviews: Learnings, Code Guidelines, issue trackers, connected MCP servers, and cross-repo analysis.",
cta: "Explore the Knowledge Base",
href: "/knowledge-base",
content: "Knowledge Base"
},
"path-instructions": {
headline: "Path Instructions",
tip: "Custom review rules that only apply to files matching a glob pattern, e.g. 'src/controllers/**'.",
cta: "Configure path instructions",
href: "/configuration/path-instructions",
content: "Path Instructions"
},
scope: {
headline: "Scope",
tip: "A named set of repositories, connections, and spend limits that controls what CodeRabbit Agent can access in a given Slack conversation.",
cta: "Learn about Scopes",
href: "/slack-agent/scopes",
content: "Scope"
}
};
const defaults = TIPS[type] || ({});
return
{children ?? defaults.content}
;
};
Control who can configure, who can see, and what stays private. CodeRabbit Agent for Slack uses both Slack-native admin status and CodeRabbit-specific roles. Everyone in the workspace can sign in, but elevated access is required for workspace-wide settings and some web app surfaces.
## Global, automation and scope admins
### Global admins
Global admins are the people who can manage the workspace as a whole.
They include:
* Native Slack admins
* Slack workspace owners and primary owners
* Users with the CodeRabbit `cr_admin` override
### Automation admins
Automation admins are CodeRabbit Agent users who can help manage automations without receiving full workspace-admin access. Workspace admins assign this role from **Workspace Users** and can use **Account Settings** to decide whether automation creation is open to any user, limited to global admins, or available to global admins and Automation admins.
When Automation admin management is enabled, Automation admins can create automations, view automation admin surfaces, and manage same-workspace automations. They cannot manage the full workspace, reset workspace connections, manage users, or administer scopes unless they also have another role that grants those permissions.
### Scope admins
Scope admins can manage only the scopes assigned to them. They can tune repositories, connections, spend settings, and channel targeting for those scopes, but they cannot manage the full workspace or admin-only web surfaces such as Automations, Sandboxes, or workspace user management.
Scope admins cannot edit the Base Scope. The Base Scope remains reserved for global admins, although scope admins can still view it in read-only mode.
## What each role can do
Global admins have full access to all workspace actions and settings. Every action listed in the table below is always available to global admins regardless of any other configuration.
| Action | Automation admin | Scope admin | Member |
| ------------------------------------------------------- | ------------------------------------------------ | ------------------------------ | ------------------------------ |
| Sign in and access the UI | Yes | Yes | Yes |
| View the Connections page | Yes | Yes | Yes |
| Create or edit connections | No | Yes | No |
| Create or delete scopes | No | No | No |
| View the Base Scope | No | Yes | No |
| Edit the Base Scope | No | No | No |
| Edit assigned scopes | No | Yes | No |
| Create automations | Yes, when enabled in Account Settings | Depends on the creation policy | Depends on the creation policy |
| Edit, pause, resume, or delete automations | Yes, when Automation admin management is enabled | No | Created automations only |
| Run immediately or stop a running channel automation | Yes (channels only) | Yes (channels only) | Yes (channels only) |
| Access the Sandboxes page in the web app | No | No | No |
| Manage workspace users or other workspace-wide settings | No | No | No |
| Reset the workspace GitHub connection | No | No | No |
## Workspace activity visibility
Usage visibility is role-aware.
| Viewer | What they can see |
| ---------------- | ----------------------------------------------------------------------------------------------------------- |
| Global admin | All workspace activity |
| Automation admin | Automation surfaces and activity available through automation management, plus their own activity elsewhere |
| Scope admin | Activity for the scopes they manage, plus their own activity elsewhere |
| Member | Their own activity |
## Knowledge Base privacy
Knowledge follows Slack privacy boundaries.
| Slack surface | Knowledge behavior |
| ----------------------------------------- | ----------------------------------------- |
| Public channels and other shared surfaces | Use the global workspace Knowledge Base |
| Private channels | Use a private conversation Knowledge Base |
| DMs and group DMs | Use a private conversation Knowledge Base |
Private knowledge can reference shared knowledge, but it should not be silently treated as shared workspace memory.
## Shared sandbox access
CodeRabbit Agent currently uses a shared workspace sandbox model rather than a private sandbox for every individual user.
That makes workspace governance important:
* Configuration changes affect the workspace environment
* Saved state can be reused across runs
* Admins should be deliberate about who can manage sandbox settings
## Good rollout practices
* Keep the Base Scope conservative at first
* Delegate scopes only where needed
* Review usage visibility before wider rollout
* Treat private channels and DM knowledge as materially different from shared workspace memory
## What's next
Review the Slack app and OAuth permissions CodeRabbit Agent requests and why they are needed.
See what activity global admins, scope admins, and other members can inspect after rollout.
Understand the shared sandbox model and how workspace-level execution state is managed.