Understanding User Roles and Permissions in Paradigm

Paradigm implements a comprehensive role-based access control system to ensure secure and efficient management of user permissions. This article explains the different user roles available and their associated permissions.

Capture d’écran 2024-12-26 à 18.36.09

Role Structure Overview

Paradigm's Role-Based Access Control (RBAC) structure is organized into 3 distinct levels:

  1. Platform level (turquoise) for multi-company administration,
  2. Company level (gray) for single-company management,
  3. and User level (light gray) for end-users.

The lines represent creation permissions, where higher-level roles can create subordinate roles - with System Admin having the broadest creation rights. This hierarchical structure ensures proper access control while maintaining clear organizational boundaries.

Capture d’écran 2024-12-27 à 18.03.54

Key Principles:

- Permissions are cumulative - users can combine multiple roles

- Access is hierarchical - higher roles include lower-level permissions

- Segregation of duties ensures security and compliance

1. Administrative Roles

1.a System Administrator

The System Administrator is Paradigm's highest-level technical role, focused exclusively on platform administration and multi-company configuration. This role operates at the tenant level with complete administrative control while maintaining strict data privacy - System Administrators cannot access customer-specific data.

✅ Has Access To ❌ Does Not Have Access To
  • System-wide settings
  • Multi-company management features (Users, Company, Workspaces, Chat settings, themes, SSO)
  • View customer usage data: (Chat conversations, prompt))
  • Company, personal document content

1.b Account Manager

The Account Manager is a central administrative role focused on customer environment management and day-to-day platform operations. Operating at the platform level, this role supports multiple companies while having specific limitations to maintain security and data integrity.


✅ Has Access To ❌ Does Not Have Access To
  • Multi-company management features (Users, Company, Workspaces, Chat settings, themes, SSO)
  • Manage API keys 
  • Monitor system usage
  • System-wide settings
  • View customer usage data: (Chat conversations, prompt))
  • View Company, personal document content

1.c DPO Admin (Data Protection Officer) 

The DPO Admin is a specialized compliance oversight role with comprehensive read-only access to all platform data. This role ensures GDPR compliance and data protection standards across the entire platform, with the ability to monitor but not modify any sensitive information.

✅ Has Access To ❌ Does Not Have Access To
  • Multi-company view usage data: (Chat conversations, prompt))
  • Multi-company View document content
  • Edit, create  anything
  • System-wide settings


2. Company-Level Roles

2.a Company Admin

The Company Administrator manages all aspects of Paradigm within their specific company scope. This role has full administrative control over their company's environment while being strictly limited to their organization's boundary.

✅ Has Access To ❌ Does Not Have Access To
  • Single company management features (Users, Company, Workspaces, Chat settings, themes, SSO)
  • Manage company API keys 
  • Monitor company usage

  • Access other companies' data or settings
  • System-wide settings
  • Single-company view documents
  • Single-company view usage data: (Chat conversations, prompt))

2.b Company DPO

The Company DPO oversees data protection and GDPR compliance specifically within their organization's scope on Paradigm. This role has comprehensive read-only access to all company data for compliance monitoring, without any administrative capabilities.

✅ Has Access To ❌ Does Not Have Access To
  • Single-company view usage data: (Chat conversations, prompt))
  • Single-company view documents
  • Access other companies' data or settings
  • Create or modify delete any company data

3. User-Level Roles

Basic User

The Basic User represents the everyday Paradigm user looking to enhance their daily productivity. This default role enables them to collaborate with AI assistants through their authorized documents and workspaces. While they don't have access to administrative features, they can fully leverage AI capabilities to optimize their daily tasks and improve their workflow.


✅ Has Access To ❌ Does Not Have Access To
  • Chat with all agents connected to their own account
  • View and manage documents within their assigned workspaces
  • Manage their personal document
  • Access their own chat history and statistics
  • Set individual preferences for agent interactions
  • Admin

Document Manager

Oversees document operations (upload/delete) strictly through the front-end interface within their authorized company workspaces.

They cannot modify workspace settings or access unauthorized areas - these permissions remain with Company Admins. Company-wide document visibility is restricted to Company DPOs only.

API Key User

This role enables users to manage their own API keys through their personal settings, strictly limited to creating and deleting personal API keys. It does not grant any additional administrative privileges or access to other users' API settings

Group and Permissions list

You can find the list here: 

  • x : Permission granted
  • Empty cell: Permission not granted