Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

Goal: Find and configure role-based access control in the Braintrust UI. Features: Permission groups, service tokens, project-scoped access, Members page.

Configuration steps

Step 1: Locate permission groups

In Braintrust, “roles” are called Permission groups. Navigate to Settings → Organization → Permission groups. Built-in groups: Owners, Engineers, Viewers. Custom groups appear on the same page.

Step 2: View user group assignments

To see which groups are assigned to users, go to Settings → Organization → Members.

Step 3: Create a permission group for a service token

Before creating a service token, create a permission group scoped to the target projects.
  1. Go to Settings → Organization → Permission groups
  2. Create a new group and set project-level permissions
A global permission group grants global access. A project-scoped group restricts the token to those projects only.

Step 4: Create a service token and attach the group

  1. Go to Settings → Organization → Permission groups → Service tokens
  2. Create a service token and attach it to the permission group created in Step 3
The token inherits all permissions from its assigned group.

Step 5: Add a service account directly to a project (optional)

You can also add a service account directly to a project via the project settings UI. The service token must still be attached to a permission group for proper scoping.

Reference