Roles and permissions
Understand user roles, permissions, and access controls for managing your Warp Enterprise team.
Warp uses a role-based access model to control what team members can do within your organization. Admins manage team settings and enforce policies, while members use Warp's features within the boundaries admins define.
User roles
Warp has three user roles:
Team Owner - Has full access to the admin panel and can manage team settings, invite users, assign roles, and transfer ownership of the team. There can only be one Owner.
Team Admin - Same permissions as the Owner, except they can't transfer ownership of the team.
Member - Standard access to Warp features and team resources. Members can use agents, access shared Warp Drive resources, and configure personal settings within the limits set by admins.
Managing admins
Teams can have multiple admins. We recommend at least one admin in addition to the Team Owner to prevent access issues if one is unavailable.
Promoting or demoting admins
Navigate to Settings > Teams > Team Members.
Find the user you want to modify.
Click the three-dot menu icon next to their name.
Select Promote to Admin or Demote from Admin.
Confirm the change when prompted.
Team Admins cannot demote or modify the Team Owner role.
Permission details
What admins can do
Team management - View members, invite users, remove users, and assign roles.
Authentication - Configure SSO and login requirements.
Agent policies - Set autonomy levels, command allowlists/denylists, and directory access controls.
Security settings - Configure secret redaction, telemetry controls, and data handling policies.
Feature controls - Enable or disable Codebase Context, BYOLLM, sharing, and other features.
Billing - Monitor credit usage, set spending limits, and manage subscriptions.
What members can do
Use agents - Run Oz agents locally and in the cloud within the policies admins define.
Access team resources - Use shared Workflows, Notebooks, Prompts, Rules, and Environment Variables in Warp Drive.
Configure personal settings - Adjust settings where admins have selected "Respect User Setting."
Share sessions - Collaborate via session sharing (if enabled by admins).
Index codebases - Trigger Codebase Context indexing for repositories (if enabled by admins).
Settings enforcement
Admin-configured settings follow a three-tier model:
Organization enforced - Applies to all members. Users cannot override these settings. Use for security-critical policies (e.g., secret redaction, command denylists).
Respect user setting - Admins set a default, but individual users can customize. Use for preferences that don't impact security.
Tier restricted - Setting is locked based on billing plan and cannot be changed until the plan is upgraded.
See the Admin Panel documentation for details on configuring each setting.
Resource sharing controls
Admins control how team members collaborate and share Warp Drive resources:
Direct link sharing - Allow team members to share Notebooks, Workflows, Prompts, and other objects via direct links.
Team-only links - Restrict links so only team members can access them.
Public link sharing - Enable or disable access for anyone with the link (even non-team members).
For organizations with sensitive internal processes, disable public link sharing to prevent accidental exposure.
Admin activity tracking
For audit purposes, admin actions are logged and visible to all team admins:
Settings changes (what changed, when, by whom)
User role modifications
Team membership changes
Billing and spending limit adjustments
Access admin activity logs through the Admin Panel under Settings > Audit Log.
Related resources
Admin Panel - Configure team settings and enforce policies
Getting started for developers - Developer onboarding guide
Last updated
Was this helpful?