Note: This feature is currently available for Enterprise, Edu, and ChatGPT for Teachers only.

Overview

RBAC stands for Role-Based Access Controls. It is a security and permissions model used to control access to systems or resources based on a user’s role assignments. With RBAC, you can define permissions against a role and assign these roles to groups within your organization. This simplifies permission management and improves security in your ChatGPT workspace.

Who can configure RBAC settings and permissions for Enterprise/Edu workspaces and ChatGPT for Teachers?

Workspace Owners can adjust default settings and permissions and use RBAC to create customized settings and permissions.

Are there any geography restrictions (for example, excluded in the EU)?

All supported countries should have access to this feature.

Will RBAC configuration be accessible from web, mobile, and desktop?

Web only.

What are we launching and what capabilities are included at launch?

Workspace Owners will gain RBAC functionality within  chatgpt.com/admin/settings where they can:

Set a default role for members who do not have one or more Custom Roles assigned.
Create custom roles with granular permissions that override the workspace default role.
Assign one or multiple Custom Roles to Groups.
View and manage Custom Roles in a centralized tab.

What permissions can I configure with RBAC?

You can assign the following permissions:

Canvas: Code execution and network access
ChatGPT agent
Codex: Use, and access to the internet
Apps
GPTs: Creation, editing, sharing, deletion, and use
Projects: Creation and editing
Record: Use and ability to reference past notes and transcripts
Search: Web search and agent mode
Shared projects
Skills: Creation and use, skill file uploads, sharing, publishing to the workspace, and installing for other workspace members

Lockdown Mode roles

Workspaces that have Lockdown Mode role support can use RBAC to create a custom role for members who need Lockdown Mode. Treat Lockdown Mode as a role-level security configuration, not as a single permission toggle.

When a member is assigned to a Lockdown Mode role, network-enabled capabilities may be limited, including live web search, deep research, agent mode, Canvas networking, and some app, MCP, or connector behavior, depending on workspace settings.

Before assigning a Lockdown Mode role, review which apps and actions the role allows and confirm that members have the permissions they need in each connected source system. App access in ChatGPT does not override permissions in the connected source system.

For more detail about what changes in Lockdown Mode, see Lockdown Mode.

We will continue to add features to RBAC permissions over time.

Note: you can control access to apps on a per-app basis. Additionally an app's UI cannot be disabled independently.

What is Member RBAC and how is it different from current roles?

Member RBAC lets workspace Owners create custom roles to control end‑user access to tools. Existing roles (Member, Admin, Owner) only govern workspace‑management rights.

How do I assign roles to people or groups?

In Settings & Permissions → Custom Roles, assign roles to Groups created in the Groups tab or synced via SCIM. Users inherit permissions from their Group roles.

Can I create my own roles?

Yes. Use Add new role in the Custom Roles tab to define roles with tailored permissions.

What’s required to enable RBAC for my workspace?

Nothing extra. It is available to all workspace admins in the admin dashboard. Create or sync Groups, then assign roles to those Groups.

How does RBAC work (role creation, assignment, defaults)?

Admins create roles, toggle feature access, and save. Roles are assigned to Groups; users can inherit multiple roles, and permissions are the maximum of the permissions across roles. Users outside Groups receive workspace‑default permissions unless overridden by a Group role.

How to configure RBAC in your workspace

In the workspace, navigate to Workspace Settings

In Workspace Settings, navigate to Settings and permissions in the left panel (note accessing this tab is restricted to users with Owner workspace permissions)

Once in Settings and permissions, you will be on the Workspace tab. In this tab, you will find the default permissions for users. If users do not have a custom role assigned, they will have these permissions.

Important: Workspace Settings default permissions apply to users who are not assigned a custom role. Users in custom roles receive the permissions configured for their roles. For Apps, you can make an app available to everyone by enabling it for the Workspace default role and each relevant custom role. Newly published apps are enabled for all roles by default unless you change the role selection before publishing.

Settings & permissions page with Workspace and Custom roles tabs for configuring baseline and custom access

As you scroll through the page, you can update toggles to modify the default permissions for users.

To override the default permissions, you can create Custom Roles and apply these to Groups. To do so, go to the Custom roles tab and click on Create role:

Settings & permissions page with Custom roles tab selected and Create role button

In the modal, fill in the role name and description as needed and click Save:

Once landed on the custom role permission page, updated toggles to design the custom role:

Workspace Search settings with Web search and Deep research enabled, Agent mode disabled

Navigate to Role assignments at the top of the same custom role page and click on +Add to see groups to assign custom role to:

Full GPT Access role assignments tab with no groups found and an Add button

In the modal, select the groups to assign the custom role to (can assign to multiple groups). Once added, click Done:

Assign groups to role dialog with Marketing added and R&D available to add

End users in the group with the custom role assigned should now have permissions updated.

RBAC