Roles and permissions
# Roles and permissions Warp uses a role-based access model to control what team members can do within your organization. Admins manage team settings and enforce policies, while members use Warp's features within the boundaries admins define. ## User roles Warp has three user roles: * **Team Owner** - Has full access to the Admin Panel and can manage team settings, invite users, assign roles, and transfer ownership of the team. There can only be one Owner. * **Team Admin** - Same permissions as the Owner, except they can't transfer ownership of the team. * **Member** - Standard access to Warp features and team resources. Members can use agents, access shared Warp Drive resources, and configure personal settings within the limits set by admins. ## Managing admins Teams can have multiple admins. We recommend at least one admin in addition to the Team Owner to prevent access issues if one is unavailable. ### Promoting or demoting admins 1. Navigate to **Settings** > **Teams** > **Team Members**. 2. Find the user you want to modify. 3. Click the three-dot menu icon next to their name. 4. Select **Promote to Admin** or **Demote from Admin**. 5. Confirm the change when prompted. :::caution Team Admins cannot demote or modify the Team Owner role. ::: ## Permission details ### What admins can do * **Team management** - View members, invite users, remove users, and assign roles. * **Authentication** - Configure SSO and login requirements. * **Agent policies** - Set autonomy levels, command allowlists/denylists, and directory access controls. * **Security settings** - Configure secret redaction, telemetry controls, and data handling policies. * **Feature controls** - Enable or disable Codebase Context, BYOLLM, sharing, and other features. * **Billing** - Monitor credit usage, set spending limits, and manage subscriptions. ### What members can do * **Use agents** - Run Oz agents locally and in the cloud within the policies admins define. * **Access team resources** - Use shared Workflows, Notebooks, Prompts, Rules, and Environment Variables in Warp Drive. * **Configure personal settings** - Adjust settings where admins have selected "Respect User Setting." * **Share sessions** - Collaborate via session sharing (if enabled by admins). * **Index codebases** - Trigger Codebase Context indexing for repositories (if enabled by admins). ### Settings enforcement Admin-configured settings follow a three-tier model: * **Organization enforced** - Applies to all members. Users cannot override these settings. Use for security-critical policies (e.g., secret redaction, command denylists). * **Respect user setting** - Admins set a default, but individual users can customize. Use for preferences that don't impact security. * **Tier restricted** - Setting is locked based on billing plan and cannot be changed until the plan is upgraded. See the [Admin Panel](/enterprise/team-management/admin-panel/) documentation for details on configuring each setting. ## Resource sharing controls Admins control how team members collaborate and share Warp Drive resources: * **Direct link sharing** - Allow team members to share Notebooks, Workflows, Prompts, and other objects via direct links. * **Team-only links** - Restrict links so only team members can access them. * **Public link sharing** - Enable or disable access for anyone with the link (even non-team members). For organizations with sensitive internal processes, disable public link sharing to prevent accidental exposure. ## Related resources * [Admin Panel](/enterprise/team-management/admin-panel/) - Configure team settings and enforce policies * [Getting started for developers](/enterprise/getting-started/getting-started-developers/) - Developer onboarding guideUnderstand user roles, permissions, and access controls for managing your Warp Enterprise team.
Warp uses a role-based access model to control what team members can do within your organization. Admins manage team settings and enforce policies, while members use Warp’s features within the boundaries admins define.
User roles
Section titled “User roles”Warp has three user roles:
- Team Owner - Has full access to the Admin Panel and can manage team settings, invite users, assign roles, and transfer ownership of the team. There can only be one Owner.
- Team Admin - Same permissions as the Owner, except they can’t transfer ownership of the team.
- Member - Standard access to Warp features and team resources. Members can use agents, access shared Warp Drive resources, and configure personal settings within the limits set by admins.
Managing admins
Section titled “Managing admins”Teams can have multiple admins. We recommend at least one admin in addition to the Team Owner to prevent access issues if one is unavailable.
Promoting or demoting admins
Section titled “Promoting or demoting admins”- Navigate to Settings > Teams > Team Members.
- Find the user you want to modify.
- Click the three-dot menu icon next to their name.
- Select Promote to Admin or Demote from Admin.
- Confirm the change when prompted.
Permission details
Section titled “Permission details”What admins can do
Section titled “What admins can do”- Team management - View members, invite users, remove users, and assign roles.
- Authentication - Configure SSO and login requirements.
- Agent policies - Set autonomy levels, command allowlists/denylists, and directory access controls.
- Security settings - Configure secret redaction, telemetry controls, and data handling policies.
- Feature controls - Enable or disable Codebase Context, BYOLLM, sharing, and other features.
- Billing - Monitor credit usage, set spending limits, and manage subscriptions.
What members can do
Section titled “What members can do”- Use agents - Run Oz agents locally and in the cloud within the policies admins define.
- Access team resources - Use shared Workflows, Notebooks, Prompts, Rules, and Environment Variables in Warp Drive.
- Configure personal settings - Adjust settings where admins have selected “Respect User Setting.”
- Share sessions - Collaborate via session sharing (if enabled by admins).
- Index codebases - Trigger Codebase Context indexing for repositories (if enabled by admins).
Settings enforcement
Section titled “Settings enforcement”Admin-configured settings follow a three-tier model:
- Organization enforced - Applies to all members. Users cannot override these settings. Use for security-critical policies (e.g., secret redaction, command denylists).
- Respect user setting - Admins set a default, but individual users can customize. Use for preferences that don’t impact security.
- Tier restricted - Setting is locked based on billing plan and cannot be changed until the plan is upgraded.
See the Admin Panel documentation for details on configuring each setting.
Resource sharing controls
Section titled “Resource sharing controls”Admins control how team members collaborate and share Warp Drive resources:
- Direct link sharing - Allow team members to share Notebooks, Workflows, Prompts, and other objects via direct links.
- Team-only links - Restrict links so only team members can access them.
- Public link sharing - Enable or disable access for anyone with the link (even non-team members).
For organizations with sensitive internal processes, disable public link sharing to prevent accidental exposure.
Related resources
Section titled “Related resources”- Admin Panel - Configure team settings and enforce policies
- Getting started for developers - Developer onboarding guide