Skip to content

Roles capability matrix

Ronja has five roles. Lower in this list means fewer permissions. For the concepts behind the matrix, see Roles and permissions; to assign roles, see Manage users and roles.

Role In one line
Super Admin The org owner. Assigned automatically to whoever creates the organization — has every permission, including promoting other members to Admin.
Admin Runs the workspace. Manages people, settings, and data.
Data Admin Owns the data layer. Connects sources and schedules jobs.
User Everyday use. Explores data and asks Ronja.
User Read-Only View-only access — perfect for stakeholders.

New invitees start as User Read-Only until an admin upgrades them. A member with no role at all fails every permission check.

✓ = allowed · ◐ = allowed with conditions (see footnote) · — = not allowed

Capability Super Admin Admin Data Admin User User Read-Only
View shared tables, data apps & knowledge
Run analyses & ask Ronja in explorations
Create notes & knowledge (through chat)
Upload files (CSV, Excel, …) ✓ ¹
Create features ✓ ²
Build & edit tables ◐ ³
Connect & manage data sources
Schedule automations in shared features — ⁴
Read workspace-shared skills, secrets, workflows & data apps ✓ ⁵
Create & edit workspace-shared skills, secrets, workflows & data apps ◐ ⁶
Request promotions & propose new shared resources ✓ ⁷
Connect personal MCP servers
Choose the AI model & reasoning effort per chat ◐ ⁸ ◐ ⁸ ◐ ⁸ ◐ ⁸
Approve promotions & note / workflow / Saved-Agent proposals; commit drafts ✓ ⁹
Approve data app proposals — ¹⁰
View the member directory
Invite members & assign roles ✓ ¹¹
Manage organization & workspace settings
View every member’s explorations ✓ ¹²
Delete & restore workspaces (30-day trash)
Delete & restore features (30-day trash)
Delete & restore tables (30-day trash)
Permanently purge trashed items before the 30 days
Manage workspaces, features & tables through chat (admin tools) ✓ ¹³
Promote members to Admin or Super Admin
Buy credits ✓ ¹⁴
Delete the organization ✓ ¹⁵
Register a login domain (auto-join) ✓ ¹⁶
  1. Any member except User Read-Only can upload files in a conversation. Managing the files inside a workspace- or organization-scoped feature additionally requires Data Admin or membership in an admin workspace.
  2. New features are private to their creator until promoted to a workspace or the organization.
  3. Users can propose edits to shared tables as drafts; a Data Admin reviews and commits them. Building or editing tables directly requires Data Admin. See Versions, drafts, and approvals.
  4. Any member can create automations in their own private features. Automations in workspace- or organization-scoped features require Data Admin (or workspace admin for workspace features).
  5. Read access to shared resources is decided by workspace membership, not role — a User Read-Only member of a workspace can view that workspace’s shared resources. Private resources are visible only to their creator.
  6. Users can create or edit workspace-shared resources only inside a workspace whose members have been granted admin rights; Data Admins always can.
  7. Any member with read access to a shared feature can propose a brand-new shared note, workflow, data app, or Saved Agent there; an approver reviews it before it goes live.
  8. The per-chat model + effort picker is an admin-granted capability (Control Center → Models & effort). Super Admins always hold the capability (User Read-Only never does), but the picker only appears when the organization’s credit wallet has been funded and no spend downshift is active — for everyone, Super Admins included. See Govern AI spend.
  9. For workspace-scoped features, a workspace admin can also approve note and workflow proposals and drafts. Deleting a shared MCP server requires the full Admin role.
  10. Data app proposals and shared data-app drafts require the full Admin role — a Data Admin can propose one but cannot approve it.
  11. Admins can only assign roles below their own level — an Admin cannot make someone Admin or Super Admin. You also cannot demote yourself if you are the only member at your level or higher.
  12. Admins can open any member’s exploration — including private ones — for support and governance. Everyone else sees only explorations shared with them.
  13. Each destructive admin action requested through chat still requires explicit human approval in the conversation.
  14. From the Billing page. Purchases are added to your next invoice — no card is charged. See Credits and AI spend.
  15. Only from a logged-in browser session (never via API token). The organization shuts down immediately for every member; data is permanently deleted after a 7-day cooling-off window — contact Ronja support to restore it before then.
  16. Only the domain of your own login email can be registered, verified via a magic link. Anyone who then logs in with a matching email joins at the chosen default role.
  • Role changes can take a minute or two to apply to a member’s active session.
  • Some capability differences you see in the product’s built-in Role guide have been corrected here against the actual backend behavior — where the two disagree, this page is authoritative.