Overview

Custom roles and RBAC give you the ability to fine-tune access to the Devin application. Enterprise administrators can create custom roles with specific permissions and assign them to users or IdP groups, providing granular control over what actions users can perform within your Devin Enterprise deployment.
Custom roles and RBAC are currently in limited access and only released to specific enterprises. Please contact Cognition support if you want custom roles unlocked for your enterprise.
Devin Enterprise implements a two-tier role system with distinct scopes and capabilities: organization-level roles and account-level roles.

Organization-Level Roles

Organization-level roles are assigned on an organization-by-organization basis and do not apply outside of the assigned organization. These roles control access to resources and actions within a specific organization. Organization-level roles can be configured with the following permissions:
PermissionDescription
Use DeepWikiAccess to DeepWiki functionality
Use Ask DevinAccess to Ask Devin feature
Use Devin SessionsAccess to create and use Devin sessions
Manage MembershipAdd/remove users and groups. Assign or unassign permission roles
Manage SettingsManage settings at the organization level
Manage PlaybooksCreate/edit/delete organization playbooks
Manage SecretsCreate/edit/delete organization secrets
Manage KnowledgeCreate/edit/delete organization knowledge
Manage Snapshots and Repository IndexingCreate/edit/delete machine snapshots and repository indexing
Manage API KeysCreate/delete/use API keys
Manage MCP ServersCreate/edit/delete MCP servers
View MetricsView organization metrics
View ConsumptionView organization consumption
Users can either build their own custom roles with a specific set of permissions, or they can use one of our three default organization roles:
  • Admin: Full administrative access within the organization
  • Member: Standard user access with core functionality
  • DeepWiki Only: Limited access restricted to DeepWiki and AskDevin functionality

Account-Level Roles (Enterprise Roles)

Account-level roles (also known as enterprise-level roles) are assigned across the entire enterprise and apply to every organization within the enterprise. Users with account-level roles automatically inherit corresponding organization-level permissions in all organizations that they are a member of. Account-level roles can be configured with the following permissions:
PermissionDescription
Manage OrganizationsView/create/edit/delete enterprise organizations
Manage Account MembershipView/create/edit/delete enterprise + organization membership
Manage Enterprise SettingsView/edit settings at the enterprise + organization levels
Manage Git IntegrationsCreate/edit/delete Git integrations (Github, Gitlab, ADO, Bitbucket). Manage repo permissions and repo indexing
Manage Chat IntegrationsCreate/edit/delete chat integrations like Microsoft Teams or Slack
Manage Ticket IntegrationsCreate/edit/delete ticketing integrations like Jira or Linear
Use Account ToolsUse Devin sessions, Ask Devin, and DeepWiki across any org
Manage Account ResourcesCreate/edit/delete playbooks, secrets, and knowledge across any org
Manage Account SnapshotsCreate/edit/delete machine snapshots in any org. Manage account level snapshots + index repos
View Enterprise Infra DetailsView enterprise infrastructure details
Manage Account API KeysCreate/edit/delete/use API keys in the enterprise and any org
Manage Account MCP ServersCreate/edit/delete MCP servers across any org
View Account MetricsView enterprise metrics
Manage BillingView/edit consumption for the enterprise
Users can either build their own custom roles with a specific set of permissions, or they can use one of our two default account roles:
  • Admin: Full administrative access across the entire enterprise
  • Member: Standard user access across all organizations in the enterprise

IdP Group Integration

Admins can assign custom roles to Identity Provider (IdP) groups. When you assign a role to an IdP group, every member of that group (as defined by your identity provider) will automatically be assigned that role.
  1. Group Information Flow: During authentication, Devin Enterprise receives group information from your IdP
  2. Automatic Role Assignment: Users inherit permissions based on their IdP group membership
  3. Dynamic Updates: Group membership changes are reflected upon user reauthentication
IdP groups must be explicitly enabled for your Enterprise and are only supported for some enterprise SSO connections. Contact your administrator to enable group support.

Creating and Assigning Custom Roles

Enterprise admins or users with the Manage Account Membership permission are the only users who can configure custom roles. Navigate to your enterprise settings and select the “Roles” tab to manage both organization-level and account-level roles. To create a custom role:
  1. Navigate to Enterprise Settings > Roles
  2. Click “Create a custom role” for either Organization or Enterprise level
  3. Provide a descriptive role name
  4. Select the specific permissions you want to grant
  5. Save the role
Once created, custom roles can be assigned to individual users or IdP groups through the membership management interface:
  • Enterprise admins or users with the Manage Account Membership permission can navigate to the “Enterprise members” page in Enterprise settings and assign account-level roles
    • Please note that this is the same set of users who are able to create, edit, and delete custom roles
  • Organization admins or users with the Manage Organization Membership permission can navigate to the “Organization members” page and assign organization-level roles
    • Please note that these users are able to assign custom roles on the organization level, but they may not be able to create, edit, or delete custom roles
We currently do not support multiple roles per user, but this feature is on our roadmap and we plan to support it soon. Each user can currently be assigned only one role per organization and one account-level role.

Best Practices

  • Principle of Least Privilege: Grant users only the minimum permissions necessary for their role
  • Use IdP Groups: Leverage IdP group integration for easier management of role assignments at scale
  • Regular Audits: Periodically review role assignments and permissions to ensure they remain appropriate
  • Descriptive Naming: Use clear, descriptive names for custom roles to make their purpose obvious
  • Documentation: Maintain internal documentation of your custom roles and their intended use cases

Common Issues

If a user is not receiving the expected permission,
  • Verify the user is assigned to the correct role for that specific organization
  • Ensure the role has the necessary permissions configured
  • Check if IdP group membership is current (may require reauthentication)
For additional support with role configuration, contact your Devin Enterprise administrator or reach out to support.