🔒 Who can manage roles: Only Admins can invite users and assign or change roles. If you need your role updated, ask your Workspace Admin.
A user's roles decide what they can do in your workspace. Every user has one or more roles, assigned when they're invited or synced from your identity provider, and you can change them at any time.
When to use this
You're inviting a new team member and need to decide what level of access they should have.
Someone's responsibilities have changed and you want to check their roles still fit.
You're setting up a new workspace and want to plan your access structure from the start.
The roles
There are seven roles. Most people need just one or two. Two things in Minikai are controlled separately: which Minis you can reach, and which records you can see on them. Keeping that in mind makes the roles below easier to combine.
Member
Can sign in to Minikai but has no access to records or Minis until they're given it, either through another role or through specific labels. This is the default for a new user.
Best for: someone who needs an account before their access is decided, or who only needs specific labelled records or Minis.
Record All Viewer
View every record on the Minis the person can access, regardless of the records' labels. "All records" means all record types on those Minis, not every record in the workspace: this role removes label limits on records, but it doesn't grant access to any Mini on its own. It's normally paired with a Mini role or with Mini label access.
Best for: someone who should see the full record history of the Minis they work with.
Record All Editor
Everything Record All Viewer allows, plus creating, updating, and archiving those records. The same scope applies: it covers records on the Minis the person can access, across all labels.
Best for: someone who maintains records on the Minis they work with, not just reads them.
Mini All Viewer
View and chat with every Mini in the workspace. Which records they see inside each Mini still depends on their record access, so without a record role they may see only a limited set of each Mini's records.
Best for: someone who needs to reach every Mini, such as cross-site quality or governance staff.
Mini All Editor
Everything Mini All Viewer allows, plus editing Mini details. Record access inside each Mini is still governed separately by their record access.
Best for: someone who manages Mini profiles across the workspace.
Admin
Full access to everything in the workspace, including managing users, Minis, records, labels, and all workspace settings. Admin access can't be restricted.
Best for: team leads or IT administrators.
Owner
Everything an Admin can do, plus enhanced privileges such as deleting the workspace. Most workspaces have only one or two Owners.
Best for: the workspace's accountable owner.
Combining roles
A user can hold more than one role, and their permissions are additive: they get everything all of their roles allow. Because Mini access and record access are separate, people often hold one role for each.
For example, a quality lead who needs to see everything without editing might be assigned both Mini All Viewer and Record All Viewer. On its own, Mini All Viewer lets them open every Mini but see only a limited set of records inside each; Record All Viewer fills in the rest. Together, the two roles let them view every record on every Mini across the workspace, while leaving editing to others.
You can also combine a workspace-wide role with label-based access. A site nurse might hold Record All Viewer for records, with access to only their own site's Minis through per-label permissions. They then see the full record history, but only for their site's residents.
Roles can be assigned two ways:
In the app: an Admin selects the user (or several at once) on the Users page and assigns roles or label access under Edit permissions.
Automatically via Directory Sync: map a directory group to a role, so the right access is granted as people are provisioned. A user in several mapped groups receives all of those roles. See Setting up SSO and Directory Sync.
ℹ️ Good to know: If a role was granted through a directory group, it's managed in your identity provider; change the person's group membership there rather than in Minikai, so the change isn't undone on the next sync.
Admin permissions
The table below shows the workspace management actions an Admin can take. The other roles don't manage the workspace; they only grant the record and Mini access described above.
Category | Permission | Admin |
Users | Invite, assign roles, or remove users | ✅ |
Users | View all users | ✅ |
Minis | Create, update, or delete Minis | ✅ |
Minis | View all Minis and records | ✅ |
Minis | Import records (from spreadsheets or documents) | ✅ |
Records | Add, edit, archive, or delete records and attachments | ✅ |
Settings | Audit logs and log streams | ✅ |
Settings | Domain verification | ✅ |
Settings | SSO and directory sync | ✅ |
ℹ️ Good to know: Everyone can use all Mini features (chatting, prompt recommendations, citations, email drafting, and speech-to-text) for any Mini they have access to. Roles decide which Minis and records someone can reach, not which features they can use.
💡 Tip: Not sure which roles to assign? Start small. It's easier to add a role later than to walk one back.
Need help?
Not sure which roles are right for someone on your team, or need to request a change to your own access? Message us through the Help Desk in the app and we'll help you work it out.