Skip to main content
This page lists every permission and the actions it allows, so you can see exactly what you grant when you build a custom role or permission set.
The App and Knowledge Base resource permissions below are also constrained by resource access. A member can use them only on the apps and knowledge bases their resource access reaches, even when their role grants the permission.See Permissions for details.

Workspace

PermissionWhat it lets a member do
Manage membersInvite members, assign and change their roles, and remove members.
Manage role permissions and resource access rulesCreate, edit, duplicate, and delete custom roles and permission sets, and manage resource access rules.
Manage customizationCustomize workspace branding, such as replacing the WebApp logo and removing Dify branding.

Applications

PermissionWhat it lets a member do
Create appsCreate apps from scratch, a template, or a DSL file, and duplicate existing apps.
Manage app tagsCreate, edit, and assign tags to apps.
Access App LibrarySee the App Library in the main navigation, where published apps are listed to open.

App Resource Permissions

PermissionWhat it lets a member do
Preview appSee the app in the list, without opening its detail pages.
Read-only orchestration pageOpen the app’s orchestration and configuration pages in read-only mode, and view its conversations, comments, variables, and annotations.
Test and use appRun and debug the app, including chat, completion, agent, and workflow test runs.
Edit and orchestrate appEdit the app’s configuration and workflow, and manage its annotations, comments, and variables.
Import / export DSLImport and export the app’s DSL, and publish it to the creators platform.
App publishing and version managementRelease the app and manage versions, the WebApp site, API access, and app API keys.
Access monitoring pageView the app’s monitoring page and usage statistics.
Configure external tracingView and change the app’s external tracing configuration.
Access logs and annotationsView the app’s logs and annotations.
Configure app access permissionsSet who can reach the app, through its resource access.
Delete appDelete the app.

Knowledge Bases

PermissionWhat it lets a member do
Create knowledge basesCreate knowledge bases, sync from sources like Notion, and import knowledge pipelines.
Manage knowledge base tagsCreate, edit, and assign tags to knowledge bases.
Connect external knowledge basesConnect an external knowledge base provider.
Manage knowledge base API keysCreate and delete the knowledge base Service API keys.

Knowledge Base Resource Permissions

PermissionWhat it lets a member do
Preview knowledge baseSee the knowledge base in the list, without opening its detail pages.
Read-only knowledge baseOpen the knowledge base in read-only mode and view its documents, segments, and settings.
Edit knowledge baseEdit the knowledge base’s settings, documents, segments, and metadata.
Add documents to knowledge baseAdd or upload documents to the knowledge base.
Delete knowledge base filesDelete documents from the knowledge base.
Download documentsDownload documents from the knowledge base.
Knowledge base retrievalRun retrieval testing on the knowledge base.
Pipeline testingTest-run the knowledge pipeline.
Import / export knowledge pipeline DSLImport and export the knowledge pipeline DSL.
Knowledge pipeline publishing and version managementRelease the knowledge pipeline and manage its versions.
Configure knowledge base access permissionsSet who can reach the knowledge base, through its resource access.
Delete knowledge baseDelete the knowledge base.

Integrations

Plugins

PermissionWhat it lets a member do
Install and update pluginsInstall and update plugins from the Marketplace, GitHub, or a local package.
Delete pluginsUninstall plugins.
Debug pluginsGet a debugging key and remotely debug plugins.
Configure modelsAdd and configure model providers, models, and plugin endpoints.
Configure auto updatesSet plugin auto-update preferences.

Tools and MCP

PermissionWhat it lets a member do
Manage toolsCreate, edit, delete, and authorize custom, API, and workflow tools.
Manage MCPCreate, edit, delete, and authorize MCP providers.

Credentials

PermissionWhat it lets a member do
View and use credentialsUse configured credentials and switch the active credential or preferred provider.
Add credentialsAdd a new credential, such as a model provider’s API key or a data source authorization.
Edit and delete credentialsUpdate and delete credentials, and manage OAuth and custom clients.

Data Sources and API Extensions

PermissionWhat it lets a member do
Manage data source configurationConfigure the workspace’s data sources.
Manage API extension configurationAdd, edit, and delete API-based extensions.