Roles & Permissions

Horizon uses role-based access control (RBAC) to determine what each user can see and do across the platform. Every user is assigned exactly one role within the organization. Roles define a set of permissions that govern access to features, data, and administrative actions.

Built-in Roles

Horizon ships with four built-in roles that cover common organizational structures:

Owner

The Owner role has unrestricted access to every feature and setting. Each organization has exactly one Owner. The Owner is the only role that can:

Delete the organization.
Transfer ownership to another user.
Modify billing and subscription settings.

Admin

Admins have full access to the platform except for the destructive organization-level actions reserved for the Owner. Admins can:

Manage all users, including inviting, deactivating, and role assignment.
Configure all settings (organization, connections, API keys, notifications).
Create, edit, deploy, and delete agents and apps.
View all departments and their resources.
Manage partner access and API keys.

Manager

Managers have broad access scoped to their assigned departments. They can:

Manage users within their department (invite, assign roles up to Manager).
Create and configure agents and apps within their department.
View and manage connections assigned to their department.
Approve agent actions that require human oversight within their department.
View department-level billing and usage data.

Managers cannot access organization-wide settings, billing, or resources in departments they are not assigned to.

Member

Members have the most limited built-in role. They can:

Interact with agents deployed in their department (start conversations, review outputs).
View their own activity history and profile.
Customize personal notification preferences.
View (but not modify) department settings, connections, and agent configurations.

Members cannot create or deploy agents, manage users, or access settings.

Permissions Matrix

The following table summarizes key permissions across built-in roles:

Permission	Owner	Admin	Manager	Member
Organization settings	Full	Full	View	View
User management	Full	Full	Department	None
Role management	Full	Full	None	None
Connections	Full	Full	Department	View
Agent creation	Full	Full	Department	None
Agent interaction	Full	Full	Full	Full
Deployed apps	Full	Full	Department	View
API keys	Full	Full	Own keys	Own keys
Billing & subscriptions	Full	View	None	None
Partner management	Full	Full	View	None
Notifications config	Full	Full	Department	Personal
Audit logs	Full	Full	Department	None

Custom Roles

If the built-in roles do not fit your organization’s needs, you can create custom roles with fine-grained permission control.

Navigate to Settings > Roles.
Click Create Custom Role.
Enter a name and description for the role.
Select a base role to start from (this pre-fills permissions that you can then adjust).
Configure permissions for each section (see below).
Click Save Role.

Permission Granularity

Custom roles allow you to set permissions at the section level. Each section supports up to four permission levels:

Level	Description
None	The user cannot see or access this section.
View	The user can view data but cannot make changes.
Edit	The user can view and modify resources within this section.
Full	The user can view, modify, create, and delete resources, and manage section-specific settings.

Sections that support granular permissions include:

Organization Settings — general organization configuration.
User Management — inviting, editing, and deactivating users.
Connections — managing third-party integrations.
Agents & Apps — creating, configuring, and deploying AI agents and apps.
Departments — viewing and managing department resources.
API Keys — creating and revoking API keys.
Billing — viewing and managing wallets, subscriptions, and invoices.
Partners — managing partner organizations and shared access.
Notifications — configuring organization-wide notification settings.
Store — installing and publishing apps, agents, and skills.
Audit Logs — viewing organization activity logs.

Department Scoping

For custom roles, you can optionally restrict access to specific departments. When department scoping is enabled:

The user only sees resources (agents, apps, connections) assigned to their scoped departments.
Their edit and management permissions apply only within those departments.
Organization-level resources (settings, billing) are governed by the section-level permission, not the department scope.

Assigning Roles

To assign or change a user’s role:

Navigate to Settings > Users.
Click on the user.
In the Role dropdown, select the new role.
If the role supports department scoping, select the applicable departments.
Click Save.

Role changes take effect immediately. If the user is currently signed in, their permissions update on the next page load or API call without requiring a sign-out.

Editing and Deleting Custom Roles

Editing — changes to a custom role’s permissions affect all users currently assigned that role. The update propagates immediately.
Deleting — you cannot delete a custom role that has users assigned to it. Reassign those users to a different role first, then delete the custom role.

Built-in roles (Owner, Admin, Manager, Member) cannot be edited or deleted.

API and Programmatic Access

Roles also govern API access. When a user creates an API key, the key inherits the user’s role permissions. API calls made with that key are subject to the same RBAC rules as the user’s interactive session.

For service-to-service integrations where no user context exists, use organization-level API keys created by an Admin or Owner. These keys can be scoped independently of user roles. See API Reference > Authentication for details.