Why We’re Changing
Onyx’s current permission system offers limited flexibility. You can make someone an Admin (full access), a Basic user (no management access), or a Curator (management access scoped to specific groups). There’s nothing in between. If you want someone to manage connectors but not agents, or view analytics without any management access, the current system can’t do that. The new group-based permission system solves this by assigning permissions directly to groups. Each group can have a specific set of permissions, and users inherit the permissions of every group they belong to. This enables granular delegation. For example, giving a team lead access to manage connectors without granting them full admin or curator powers. It also preserves the per-group scoping Curators relied on — through Group Managers — so you get both finer-grained permission types and the ability to delegate a single group’s management. The next sections explain each.What’s Being Removed
- Curator role: Removed
- Global Curator role: Removed
CURATORS_CANNOT_VIEW_OR_EDIT_NON_OWNED_ASSISTANTSenvironment variable: Removed
The Curator roles go away, but the capability they provided — scoped,
per-group management — is preserved through Group Managers (see Group Managers below).
What Replaces It
The new system is built from two pieces that work together:Group permission
Granted to a group and applies organization-wide.
Every member of the group manages all resources of that type.
Group Manager
Granted to a person for a single group.
They manage only that group’s resources and members — see Group Managers.
Configurable group permissions and Group Managers rely on custom groups, which are an Enterprise Edition feature.
Community Edition keeps the two default groups, Basic and Admins (see the FAQ).
- You can grant Manage Connectors & Document Sets without granting agent management
- You can grant View Agent Analytics or View Query History without any management permissions
- You can create purpose-specific groups like “Content Managers” or “Analytics Viewers”
Group permission vs. Group Manager
The two mechanisms can grant the same permission name — Manage Connectors & Document Sets, Manage Agents, Manage Actions — but their reach is very different. This is the most important distinction to get right.| Permission | As a group permission (granted to the group) | As a Group Manager (assigned per person, per group) |
|---|---|---|
| Manage Connectors & Document Sets | Every member can create and edit any connector and document set, organization-wide | Manages only connectors and document sets shared solely within the group(s) they manage — and can’t make them public |
| Manage Agents | Every member can create and edit any agent, organization-wide | Manages only agents shared solely within the group(s) they manage — and can’t make them public |
| Manage Actions | Every member can create and edit any custom tool / MCP server, organization-wide | Manages the actions used by their managed group’s agents — actions are scoped through agents, since tools and MCP servers have no direct group association |
Available Permissions
The following permissions can be assigned to any group:| Permission | Description |
|---|---|
| Manage LLMs | Add and update configurations for language models (LLMs). |
| Manage Connectors & Document Sets | Add and update connectors and document sets. |
| Manage Actions | Add and update custom tools and MCP/OpenAPI actions. |
| Manage Groups | Add and update user groups. |
| Manage Service Accounts | Add and update service accounts and their API keys. |
| Manage Slack/Discord Bots | Add and update Onyx integrations with Slack or Discord. |
| Create Agents | Create and edit the user’s own agents. |
| Manage Agents | View and update all public and shared agents in the organization. |
| View Agent Analytics | View analytics for agents the group can manage. |
| View Query History | View query history of everyone in the organization. |
| Create User Access Token | Add and update the user’s personal access tokens. |
Group Managers
A Group Manager is a member of a group who has been given management access to a single group — its resources and its members — without organization-wide powers. Access is granted per user, per permission, per group. For example: Alice can manage connectors, but only for the connectors shared with the Engineering group. Alice does not become an organization-wide connector admin; her management access stops at Engineering’s resources.What a Group Manager can do
Scoped to the group(s) they manage, a Group Manager can:- View, edit, and remove the connectors, agents, and document sets shared with the group.
- Manage the actions (custom tools and MCP servers) used by their group’s agents.
- Add and remove members of the group.
- Create connectors, agents, and document sets — as long as each is shared with a group they manage.
- Manage resources that aren’t shared with a group they manage.
- Make a resource public, or extend its access beyond the groups they manage.
- Grant organization-wide permissions to anyone.
Credentials stay private. A Group Manager can see which credential a connector uses,
but can’t view its secret values or reuse a credential they don’t have access to when creating their own connectors.
(Unchanged by this migration.)
Which permissions can be scoped
| Permission | Can be scoped to a group? |
|---|---|
| Manage Connectors & Document Sets | Yes |
| Manage Agents | Yes |
| Create Agents | Yes |
| Manage Actions | Yes — scoped through the managed group’s agents |
| All others (Manage LLMs, Manage Groups, View Agent Analytics, View Query History, Manage Service Accounts, Manage Slack/Discord Bots, Create User Access Token) | No — organization-wide only |
Manage Actions has no direct group association — custom tools and MCP servers aren’t attached to groups directly.
A Group Manager’s scoped action management is therefore derived from the agents in the group(s)
they manage (which are shared to groups), rather than from a tool-to-group link.
There’s no risk of lockout. An Admin can always view and reset a group’s managers.
Removing a user from a group revokes their scoped permissions for that group,
and deleting a group removes any Group Manager grants tied to it.
Before and After
| Old (Current System) | New (Group-Based Permissions) |
|---|---|
| Admin role | Member of Admins group (full access) |
| Basic role | Member of Basic group (chat, search, personal agents) |
| Curator role (per-group) | Group Manager of their group(s) — scoped management of that group’s connectors, document sets, agents, and members |
| Global Curator role | Group Manager in each group they manage, or group-wide Manage permissions when organization-wide access is intended |
What changes for Curators
In the old system, a Curator could manage resources (connectors, agents, document sets) and members scoped to the specific group(s) they curated. A Global Curator had the same powers across all groups they belonged to. That single role is now split into separate, individually grantable permissions, and you choose the scope for each (see What Replaces It):- For the same per-group scoping a Curator had, make the user a Group Manager of their group(s) — see Group Managers.
- For organization-wide management, grant the permission to a group instead.
What Happens Automatically During Upgrade
The upgrade migration handles the following automatically:Admin users
All users with the Admin role are auto-joined to the Admins group. They retain full system access.
Basic users
All users with the Basic role are auto-joined to the Basic group. Their capabilities are unchanged.
Curators and Global Curators
Existing Curators and Global Curators are automatically converted to Group Managers of the groups they
curated. Their per-group management carries over — there is no lockout,
and no manual reassignment for existing groups.
This automatic conversion covers only the groups that exist at upgrade time.
For any new group you create afterward, assign its Group Managers manually.
Default groups created
Two protected groups are automatically created:
- Basic: All users are auto-joined. Grants core platform access (chat, search, personal agents).
- Admins: All former Admin users are auto-joined. Grants full system access.
Existing groups preserved
All your existing custom groups and their resource associations (connectors, document sets, agents) are preserved.
No group memberships are lost. You can then assign permissions to these groups after upgrading.
What You Need to Do
Existing Curators and Global Curators are migrated to Group Managers automatically,
so most setups need little manual work.
Your main job is to verify the result and decide how new groups are managed going forward.
Before Upgrading
- Review your Curator assignments: Note which users are Curators or Global Curators and which groups they manage, so you can confirm the conversion afterward.
- Decide where you want organization-wide management: If a team should manage all resources of a type rather than a single group’s, plan to grant that permission to a group instead.
After Upgrading
- Verify the converted Group Managers: Confirm former Curators can still manage their groups’ connectors, document sets, and agents.
- Handle new groups going forward: The migration only covers groups that existed at upgrade. For new groups, grant group permissions and assign Group Managers manually.
Timeline
Specific version numbers and dates have not been finalized yet. This page will be updated as the release schedule is confirmed. Here is the planned rollout sequence:- Now: This documentation is published so you can understand the upcoming changes and start planning.
- Before the release: Deprecation banners will appear in the Admin UI on the Users and Groups pages, warning that Curator and Global Curator roles will be removed.
- On release: The new group-based permission system ships. Curator and Global Curator roles are permanently removed. Migration runs automatically on upgrade.
Frequently Asked Questions
What if I'm not using Curators today?
What if I'm not using Curators today?
If you only use Admin and Basic roles, this change requires no action from you. Your users, groups,
and resources will continue to work exactly as they do today.
The new permission system gives you additional flexibility if you need it in the future.
What happens to resources that my Curators created?
What happens to resources that my Curators created?
All resources (connectors, document sets, agents) are preserved with their original ownership,
and the creator remains the owner.
Because former Curators become Group Managers of their groups during the migration,
they keep the ability to manage the resources shared with those groups.
Can I recreate Curator-like behavior in the new system?
Can I recreate Curator-like behavior in the new system?
Yes.
Assign the user as a Group Manager of the relevant group — they’ll manage only that group’s resources and
members, the same per-group scoping the old Curator role provided. See Group Managers.
Is this a breaking change for Community Edition (CE) users?
Is this a breaking change for Community Edition (CE) users?
No. CE behavior is identical to today. CE has two default groups (Basic and Admins)
that mirror the current Admin/Basic role split.
Custom groups with configurable permissions are an Enterprise Edition feature.
What about API keys and service accounts?
What about API keys and service accounts?
Existing Admin API keys are placed in the Admins group. Basic API keys are placed in the Basic group.
After upgrading, you can assign service accounts to specific groups for more granular access.