Role Structure Overview
Paradigm’s Role-Based Access Control (RBAC) structure is organized into 3 distinct levels:- Platform level (turquoise) for multi-company administration,
- Company level (gray) for single-company management,
- and User level (light gray) for end-users.
Key Principles:
- Permissions are cumulative - users can combine multiple roles
- Access is hierarchical - higher roles include lower-level permissions
- Segregation of duties ensures security and compliance
1. Administrative Roles
1.a System Administrator
The System Administrator is Paradigm’s highest-level technical role, focused exclusively on platform administration and multi-company configuration. This role operates at the tenant level with complete administrative control while maintaining strict data privacy - System Administrators cannot access customer-specific data.| ✅ Has Access To | ❌ Does Not Have Access To |
|---|---|
| • System-wide settings • Multi-company management features (Users, Company, Workspaces, Chat settings, themes, SSO) | • View customer usage data: (Chat conversations, prompt) • Company, personal document content |
1.b Account Manager
The Account Manager is a central administrative role focused on customer environment management and day-to-day platform operations. Operating at the platform level, this role supports multiple companies while having specific limitations to maintain security and data integrity.| ✅ Has Access To | ❌ Does Not Have Access To |
|---|---|
| • Multi-company management features (Users, Company, Workspaces, Chat settings, themes, SSO) • Manage API keys • Monitor system usage | • System-wide settings • View customer usage data: (Chat conversations, prompt) • View Company, personal document content |
1.c DPO Admin (Data Protection Officer)
The DPO Admin is a specialized compliance oversight role with comprehensive read-only access to all platform data. This role ensures GDPR compliance and data protection standards across the entire platform, with the ability to monitor but not modify any sensitive information.| ✅ Has Access To | ❌ Does Not Have Access To |
|---|---|
| • Multi-company view usage data: (Chat conversations, prompt) • Can request access to the documents | • Edit, create anything • System-wide settings |
2. Company-Level Roles
2.a Company Admin
The Company Administrator manages all aspects of Paradigm within their specific company scope. This role has full administrative control over their company’s environment while being strictly limited to their organization’s boundary.| ✅ Has Access To | ❌ Does Not Have Access To |
|---|---|
| • Single company management features (Users, Company, Workspaces, Chat settings, themes, SSO) • Manage company API keys • Monitor company usage | • Access other companies’ data or settings • System-wide settings • Single-company view documents • Single-company view usage data: (Chat conversations, prompt) |
2.b Company DPO
The Company DPO oversees data protection and GDPR compliance specifically within their organization’s scope on Paradigm. This role has comprehensive read-only access to all company data for compliance monitoring, without any administrative capabilities.| ✅ Has Access To | ❌ Does Not Have Access To |
|---|---|
| • Single-company view usage data: (Chat conversations, prompt) • Single-company view documents | • Access other companies’ data or settings • Create or modify delete any company data |
3. User-Level Roles
Basic User
The Basic User represents the everyday Paradigm user looking to enhance their daily productivity. This default role enables them to collaborate with AI assistants through their authorized documents and workspaces. While they don’t have access to administrative features, they can fully leverage AI capabilities to optimize their daily tasks and improve their workflow.| ✅ Has Access To | ❌ Does Not Have Access To |
|---|---|
| • Chat with all agents connected to their own account • View and manage documents within their assigned workspaces • Manage their personal document • Access their own chat history and statistics • Set individual preferences for agent interactions | • Admin |
Document Manager
Oversees document operations (upload/delete) strictly through the front-end interface within their authorized company workspaces.They cannot modify workspace settings or access unauthorized areas - these permissions remain with Company Admins. Company-wide document visibility is restricted to Company DPOs only.
API Key User
This role enables users to manage their own API keys through their personal settings, strictly limited to creating and deleting personal API keys. It does not grant any additional administrative privileges or access to other users’ API settings.Group and Permissions List
You can find the detailed permissions matrix in our comprehensive spreadsheet:- x: Permission granted
- Empty cell: Permission not granted