Granting and revoking capabilities — and editing a role at all — is itself governed by the Manage roles capability. You edit a role’s capabilities under the Capabilities tab when managing a role in People. If you can’t reach role management, your role doesn’t have Manage roles — access is governed by capabilities, not by any fixed role name.
How capabilities work
Capabilities are granted per role. Under People, open a role and use its Capabilities tab to toggle each permission on or off; every user assigned that role inherits the result. The built-in Super admin role always holds every capability and its toggles are locked on; the Administrator and Member roles, and any custom role, have fully editable capabilities. See Roles for how roles are assigned and edited.Capabilities define what you can do; teams define which gateways you can do it to. Most capabilities act only on the resources your team membership already grants you. A separate family of “view all” capabilities — View and use all gateways, View all servers, View all identities, View all teams, See all alerts — overrides that team scoping for its resource type. See How team scoping interacts with capabilities.
Identities
Identity capabilities govern the credentials users connect to downstream MCP servers. Personal identity management — managing your own identities — is always available to every user and is not gated by a capability.View all identities is a governance-preview capability, not an impersonation grant
View all identities lets an administrator see every identity in the workspace, including the private identities created by other users, regardless of who created them. Critically, it does not let the holder use another person’s private identity, nor view or edit its header tokens (its secret credentials). A private identity is never selectable for assignment by anyone other than its owner, even with this capability, and its header tokens can only be viewed or edited by its creator — an identity can only be used by others if its owner has made it shared (globally available) rather than personal. What the capability provides is a read-only preview: an administrator can see which identities exist and preview what tools and access a given user’s identity would expose. This is an instrumental tool for building governance policies — understanding what different users and their identities can reach — without granting the ability to act as those users. For the concepts behind identities and shared-versus-personal availability, see Authentication & Identity.Servers
Server capabilities govern MCP servers and server instances — adding them, editing them, enabling or disabling them, deleting them, and creating managed and workstation server instances.
Like gateways, servers are scoped by access: View all servers overrides that scoping so the holder sees every server and server instance in the workspace regardless of access. Create workstation instances is reserved for an upcoming feature and is not yet active.
Gateways
Gateway capabilities govern creating and configuring gateways, provisioning them to teams, and archiving them.Basic gateway management acts only on gateways you can reach
Basic gateway management grants the actions — creating gateways, renaming them, enabling and disabling them, assigning and revoking servers. It does not, by itself, widen which gateways those actions apply to. A user with this capability can manage only the gateways their team membership provisions to them. To act on gateways across the whole workspace regardless of team, a role also needs View and use all gateways (below). Manage team-gateway provisioning is the separate capability for granting and revoking a team’s access to a gateway.Hosts
Host capabilities govern the apps and agents that connect to your gateways — the API tokens and OAuth connections that link a host to a gateway, and enabling, disabling, or deleting hosts.People
People capabilities govern user, role, and team administration and SSO/SCIM mapping.People administration is split into fine-grained capabilities
User, role, and team administration is divided into six independent capabilities, so you can grant exactly the administrative scope a role needs rather than all of it at once:- Manage roles — create and duplicate roles, edit role names, icons, and capabilities, and delete roles that have no assigned users.
- Manage teams — create teams, edit team names, enable and disable teams, and delete teams.
- Manage user role assignments — change which role a user holds.
- Manage user team assignments — add users to and remove them from teams.
- Remove users — deactivate a user to revoke their access to the workspace.
- View all teams — see every team in the workspace, not only the teams you belong to (the team-scoping override for People; see How team scoping interacts with capabilities).
These six capabilities replace the earlier single Manage people capability, which bundled all of the above together. If you previously relied on Manage people, grant the specific capabilities a role now needs. The built-in Super admin role holds all of them automatically.
Manage SSO/SCIM mapping also gates a page
Manage SSO/SCIM mapping controls more than buttons: the SSO/SCIM settings page itself is gated by this capability. A user whose role lacks it cannot open that page even by direct link — they are redirected away. See SSO and SCIM.Workspace settings
Logging
Logging capabilities govern viewing and exporting logs and configuring the OpenTelemetry collector that forwards them.
View and export logs is scoped to the resources you can already reach: it lets you view and export logs only for the hosts, gateways, and servers your team membership grants you access to — it is not a workspace-wide “view every log” grant. Manage OpenTelemetry collector governs the collector used to forward logs to an external destination; see Export to SIEM.
Alerting
See all alerts overrides the default team-based scoping of alerts so the holder sees every alert in the workspace rather than only those tied to resources they can reach.
Reporting
View reports controls the Reporting page end to end: with it, the Reporting link appears in the left-hand navigation and every chart is available; without it, the link is hidden and the page is unavailable.
Integrations
Manage integrations governs the rule engines and other integrations attached to your gateways — configuring them, editing them, and removing them, for both built-in engines and custom providers.
How team scoping interacts with capabilities
Most capabilities are bounded by team membership: they let you act only on the gateways (and the servers, hosts, logs, and alerts behind them) that your teams provision to you. A handful of capabilities are deliberately designed to override that scoping for administrators who need a workspace-wide view:- View and use all gateways — see and use every gateway on any team, bypassing team provisioning entirely.
- View all servers — see every server and server instance regardless of access.
- View all identities — see every identity regardless of creator (read-only preview; it does not let you use another user’s private identity, or view or edit its header tokens).
- View all teams — see every team in the workspace, not only the teams you belong to.
- See all alerts — see every alert in the workspace.
Further reading
Roles
How capabilities are bundled into roles and assigned to users.
Teams
The team scoping that bounds most capabilities.

