Roles & permissions
Your role determines what you can do in Zahen. Roles are assigned by an administrator and are cumulative — if you hold more than one role, you get the union of all their permissions.
For a plain-language introduction to roles, see What your role lets you do.
The full matrix
Section titled “The full matrix”| Capability | Employee | Department user | Approver | Department admin | Platform admin | Security admin | Developer |
|---|---|---|---|---|---|---|---|
| Sign in and use the platform | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Ask questions (grounded Q&A) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read documents you’re permitted to see | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Read your department’s documents | — | ✓ | ✓ | ✓ | ✓ | — | ✓ |
| Run agent tasks | — | ✓ | ✓ | ✓ | ✓ | — | ✓ |
| View task history | — | ✓ | ✓ | ✓ | ✓ | — | ✓ |
| Review and decide approval requests | — | — | ✓ | ✓ | ✓ | — | — |
| Upload documents to your department | — | — | — | ✓ | ✓ | — | — |
| Set document access levels and departments | — | — | — | ✓ | ✓ | — | — |
| Manage users within your department | — | — | — | ✓ | ✓ | — | — |
| Configure workspace settings | — | — | — | — | ✓ | — | — |
| Manage all users and roles | — | — | — | — | ✓ | — | — |
| Manage all departments and documents | — | — | — | — | ✓ | — | — |
| View the audit log | — | — | — | — | ✓ | ✓ | — |
| Review access and security events | — | — | — | — | ✓ | ✓ | — |
| Build and register workflows | — | — | — | — | ✓ | — | ✓ |
| Manage the tool registry | — | — | — | — | ✓ | — | ✓ |
| Build and test integrations | — | — | — | — | — | — | ✓ |
What each role is for
Section titled “What each role is for”Employee — the baseline role for everyone. Read and ask questions from approved documents you’re permitted to see.
Department user — for staff who need to run multi-step agent tasks, not just ask questions. Includes everything an employee can do, plus access to your department’s documents and the ability to start tasks.
Approver — for people responsible for reviewing high-risk actions. Includes everything a department user can do, plus the ability to approve, reject, or escalate paused tasks. See Approvals.
Department admin — for the person who manages a team’s knowledge and access. Includes everything an approver can do within their department, plus document upload, access-level configuration, and user management for that department. See Managing knowledge.
Platform admin — full access across the entire platform. Configures workspace settings, manages all users and departments, and oversees the tool registry and workflows.
Security admin — a read-only role focused on oversight. Can view the audit log and review access across the platform, but cannot change configuration or run tasks.
Developer — for people building and maintaining the platform’s capabilities. Can build and register workflows, manage the tool registry, and test integrations. Does not have administrative access to user data by default.