Skip to main content

Overview

Custom roles and RBAC give you the ability to fine-tune access to the Devin application. Enterprise administrators can create custom roles with specific permissions and assign them to users or IdP groups, providing granular control over what actions users can perform within your Devin Enterprise deployment. Devin Enterprise implements a two-tier role system with distinct scopes and capabilities: organization-level roles and account-level roles.

Creating and Assigning Custom Roles

Enterprise admins or users with the Manage Account Membership permission are the only users who can configure custom roles. Navigate to your enterprise settings and select the “Roles” tab to manage both organization-level and account-level roles.
Devin
To create a custom role:
  1. Navigate to Enterprise Settings > Roles
  2. Click “Create a custom role” for either Organization or Enterprise level
  3. Provide a descriptive role name
  4. Select the specific permissions you want to grant
  5. Save the role
Once created, custom roles can be assigned to individual users or IdP groups through the membership management interface:
  • Enterprise admins or users with the Manage Account Membership permission can navigate to the “Enterprise members” page in Enterprise settings and assign account-level roles
    • Please note that this is the same set of users who are able to create, edit, and delete custom roles
  • Organization admins or users with the Manage Organization Membership permission can navigate to the “Organization members” page and assign organization-level roles
    • Please note that these users are able to assign custom roles on the organization level, but creating, editing, or deleting custom roles requires Manage Account Membership (enterprise-level) permissions
We currently do not support multiple roles per user, but this feature is on our roadmap and we plan to support it soon. Each user can currently be assigned only one role per organization and one account-level role.

Organization-Level Roles

Organization-level roles are assigned on an organization-by-organization basis and do not apply outside of the assigned organization. These roles control access to resources and actions within a specific organization. Organization-level roles can be configured with the following permissions: Users can either build their own custom roles with a specific set of permissions, or they can use one of our three default organization roles:
  • Admin: Full administrative access within the organization
  • Member: Standard user access with core functionality
  • DeepWiki Only: Limited access restricted to DeepWiki and Ask Devin functionality, including repository indexing permissions
Devin

Account-Level Roles (Enterprise Roles)

Account-level roles (also known as enterprise-level roles) are assigned across the entire enterprise and apply to every organization within the enterprise. Users with account-level roles automatically inherit corresponding organization-level permissions in all organizations that they are a member of. Account-level roles can be configured with the following permissions: Users can either build their own custom roles with a specific set of permissions, or they can use one of our two default account roles:
  • Admin: Full administrative access across the entire enterprise
  • Member: Standard user access across all organizations in the enterprise
Devin

Auto Assign a Role based on SSO IdP Group

You can automatically assign roles to users based on their Identity Provider (IdP) group membership. This streamlines user access management by ensuring users inherit the correct permissions upon authentication.
  1. Navigate to Enterprise Settings > Members
  2. Configure IdP group mappings to associate group names with specific roles
  3. When users authenticate via SSO, they automatically receive the role assigned to their IdP group
Your SSO provider must send the groups array in the SSO assertion. For detailed setup instructions, see IdP Group Integration.

Best Practices

  • Principle of Least Privilege: Grant users only the minimum permissions necessary for their role
  • Use IdP Groups: Leverage IdP group integration for easier management of role assignments at scale
  • Regular Audits: Periodically review role assignments and permissions to ensure they remain appropriate
  • Descriptive Naming: Use clear, descriptive names for custom roles to make their purpose obvious
  • Documentation: Maintain internal documentation of your custom roles and their intended use cases

Common Issues

If a user is not receiving the expected permission,
  • Verify the user is assigned to the correct role for that specific organization
  • Ensure the role has the necessary permissions configured
For additional support with role configuration, contact your Devin Enterprise administrator or reach out to support.