Skip to main content

Torq Roles and Scopes: Manage Access and Permissions

Efficiently manage user access and permissions in your workspace using Torq's role-based access control (RBAC) system.

Overview

Users access platform areas and actions based on their assigned roles, known as role-based access control (RBAC). RBAC settings are unique to each workspace — a user assigned to multiple workspaces can have a different role in each.

To manage user roles, go to Settings > Users. To create and manage custom roles, go to Settings > Security > Roles.

Preset roles

Torq offers the following preset roles:

  • Viewer: View-only access to the workspace.

  • Operator: Operational access without full creation rights.

  • Creator: Can create workflows and integrations.

  • Contributor: Creation and moderate management capabilities.

  • Owner: Full control over the workspace's assets and settings.

  • Interact Only: Access exclusively to Torq Interact, via the navigation sidebar or a direct URL.

The following roles are available in workspaces with case management enabled:

  • Cases Viewer: View-only access to case management.

  • Workspace Viewer: View-only access to the workspace, including automation and case management.

  • Cases Analyst: Work on cases without access to configuration settings.

  • Cases Contributor: Cases Analyst with permissions to create and edit dashboards in Cases Dashboards.

Organization-managed vs. workspace-managed roles

Custom roles in Torq can be managed at two levels:

  • Workspace roles: Created and managed within a single workspace. Only available in that workspace.

  • Organization-managed roles: Created centrally at the organization level and automatically available across all workspaces. Role IDs are consistent across workspaces, enabling shared workflows and integrations to work without conflicts.

Use org-managed roles for standard, repeatable access patterns. Use workspace roles only when local customization is needed.

In Settings > Security > Roles, each role is labeled by scope, Org-managed or Workspace, so you can tell at a glance where it's managed. Org-managed roles can be viewed and duplicated from a workspace but not edited locally. Any changes made at the org level are automatically reflected across all workspaces.

For details on assigning org-managed roles to users or mapping them via SSO, see Organization-managed Roles: Centralize Access Across Workspaces.

How to use

Create custom roles

You can create custom roles tailored to your organization's needs in two ways: via Settings or via workflow steps.

Create a role via Settings

  1. Navigate: Go to Settings > Security > Roles.

  2. Add a role: Click Create.

  3. Name the role: Enter a unique and meaningful name and description.

  4. Set permissions: Select the activities users with this role can perform. For each Torq page you want the role to access, go to UI Access and enable the relevant page (e.g., enable View the Workflows page to allow users to add steps to workflows).

  5. Save: Click Save.

Default roles cannot be edited or deleted, but can be duplicated as templates. Click the three-dot (...) menu and select Duplicate. Custom roles can be edited, duplicated, and deleted; they can only be deleted when not assigned to any user.

Create a role via steps

  1. Open a workflow: Go to Build > Workflows and create or open a workflow.

  2. Find the steps: In the Toolbox, search role torq to find steps for creating, listing, updating, and deleting roles.

  3. Configure the step: When using the Create Role or Update Role step, list the desired scopes in the Scope names parameter.

  4. Set the API key: The integration instance used must have a Torq service API key with the Owner role.

To view step execution logs, ensure the custom role has the Secrets Management > View custom secrets without access to their values permission.

For additional assistance with custom role creation, contact Torq support.

Scopes

Viewer role

View-only access to Torq.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Activity Log

  • Insights

  • Cases Dashboards

  • Settings

Permissions

Permission

Scope

View existing workflows

playbook.get

List existing workflows

playbook.list

View activity log data

event.read

View integration data

integration.read

View custom secrets without access to their values

secret.read

View step execution data

step.read

View existing workspace variables

workspace.variables.read

Submit Torq interactions

interaction.submit

View the Templates page

template.page.view

View the Workspace Variables page

workspace.variables.page.view

View the Insights page

insights.page.view

View dashboards (Cases Dashboards)

dashboard.read

View the Workflows page

workflow.page.view

View the Integrations page

integration.page.view

View the Activity Log page

activity.log.page.view

View the Settings page

settings.page.view

View Socrates conversations in the Socrates page (relevant only in workspaces where case management is enabled)

socrates.investigations.read

Operator role

Viewer + trigger workflows.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Activity Log

  • Insights

  • Settings

Permissions

Permission

Scope

View existing workflows

playbook.get

List existing workflows

playbook.list

Run workflows

playbook.execute

View step execution data

step.read

Run steps

step.execute

View activity log data

event.read

View integration data

integration.read

View custom secrets without access to their values

secret.read

Execute the Torq step Send Email

email.send

View existing workspace variables

workspace.variables.read

Create Torq interactions

interaction.write

Submit Torq interactions

interaction.submit

View the Templates page

template.page.view

View the Workspace Variables page

workspace.variables.page.view

View the Insights page

insights.page.view

View the Workflows page

workflow.page.view

View the Integrations page

integration.page.view

View the Activity Log page

activity.log.page.view

View the Settings page

settings.page.view

Creator role

Operator + create and modify workflows and integrations.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Activity Log

  • Insights

  • Cases Dashboards

  • Settings

Permissions

Permission

Scope

View existing workflows

playbook.get

List existing workflows

playbook.list

Run workflows

playbook.execute

Create workflows

playbook.write

View step execution data

step.read

Add steps to workflows

step.write

Run steps

step.execute

View integration data

integration.read

Create integrations

integration.write

View private and service API keys

apikey.read

Create private API keys

apikey.write

View workspace members list

user.read

View activity log data

event.read

View custom secrets without access to their values

secret.read

Create and update custom secrets

secret.write

View existing workspace variables

workspace.variables.read

Create workspace variables

workspace.variables.write

Create Torq interactions

interaction.write

Submit Torq interactions

interaction.submit

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

View dashboards (Cases Dashboards)

dashboard.read

Create and edit dashboards (Cases Dashboards)

dashboard.write

View the Templates page

template.page.view

View the Workspace Variables page

workspace.variables.page.view

View the Insights page

insights.page.view

View the Workflows page

workflow.page.view

View the Integrations page

integration.page.view

View the Activity Log page

activity.log.page.view

View the Settings page

settings.page.view

View the Cases page (relevant only in workspaces where case management is enabled)

cases.page.view

Initiate and participate in Socrates conversations inside a case and assign Socrates to a case (relevant only in workspaces where case management is enabled)

cm.assistant.write

View Socrates conversations inside a case (relevant only in workspaces where case management is enabled)

cm.assistant.read

Initiate and participate in Socrates conversations in the Socrates page, and assign Socrates to a case (relevant only in workspaces where case management is enabled)

socrates.investigations.write

View Socrates conversations in the Socrates page (relevant only in workspaces where case management is enabled)

socrates.investigations.read

Investigate cases (relevant only in workspaces where case management is enabled)

Contributor role

Creator + publish workflows.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Activity Log

  • Insights

  • Cases Dashboards

  • Settings

Permissions

Permission

Scope

View existing workflows

playbook.get

List existing workflows

playbook.list

Run workflows

playbook.execute

Create workflows

playbook.write

View step execution data

step.read

Add steps to workflows

step.write

Run steps

step.execute

Publish workflows

playbook.publish

View integration data

integration.read

Create integrations

integration.write

View private and service API keys

apikey.read

Create private API keys

apikey.write

View list of users on the workspace

user.read

View activity log data

event.read

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

Execute the Torq step Send Email

email.send

View dashboards (Cases Dashboards)

dashboard.read

Create and edit dashboards (Cases Dashboards)

dashboard.write

Create and update cases

case.write

View custom secrets without access to their values

secret.read

Create and update custom secrets

secret.write

View existing workspace variables

workspace.variables.read

Create workspace variables

workspace.variables.write

Create Torq interactions

interaction.write

Submit Torq interactions

interaction.submit

View the Templates page

template.page.view

View the Workspace Variables page

workspace.variables.page.view

View the Insights page

insights.page.view

View the Workflows page

workflow.page.view

View the Integrations page

integration.page.view

View the Activity Log page

activity.log.page.view

View the Settings page

settings.page.view

View the Cases page (relevant only in workspaces where case management is enabled)

cases.page.view

Initiate and participate in Socrates conversations inside a case and assign Socrates to a case (relevant only in workspaces where case management is enabled)

cm.assistant.write

View Socrates conversations inside a case (relevant only in workspaces where case management is enabled)

cm.assistant.read

Initiate and participate in Socrates conversations in the Socrates page, and assign Socrates to a case (relevant only in workspaces where case management is enabled)

socrates.investigations.write

View Socrates conversations in the Socrates page (relevant only in workspaces where case management is enabled)

socrates.investigations.read

Investigate cases (relevant only in workspaces where case management is enabled)

Owner role

Contributor + manage users and SSO.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Cases

  • Auto Triage

  • Runbooks

  • Observables

  • Socrates

  • Activity Log

  • Insights

  • Cases Dashboards

  • Settings

Permissions

Permission

Scope

View existing workflows

playbook.get

List existing workflows

playbook.list

Run workflows

playbook.execute

Create workflows

playbook.write

Publish workflows

playbook.publish

View step execution data

step.read

Add steps to workflows

step.write

Run steps

step.execute

View integration data

integration.read

Create integrations

integration.write

View private and service API keys

apikey.read

Create private API keys

apikey.write

View list of users on the workspace

user.read

Manage workspace users and configure SSO

user.write

Create support tickets

support.write

Execute the Torq step Send Email

email.send

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

View dashboards (Cases Dashboards)

dashboards.read

Create and edit dashboards (Cases Dashboards)

dashboards.write

View IP access rules

ip.access.rule.read

Modify IP access rules

ip.access.rule.write

List audit logs

audit.read

View activity log data

event.read

View custom secrets without access to their values

secret.read

Create and update custom secrets

secret.write

View existing workspace variables

workspace.variables.read

Create workspace variables

workspace.variables.write

View the organization settings

organizations.read

View the workspace settings

accounts.read

Modify the workspace settings

accounts.write

Share resources with other workspaces

resource.share

Create Torq interactions

interaction.write

Submit Torq interactions

interaction.submit

View the Templates page

template.page.view

View the Workspace Variables page

workspace.variables.page.view

View the Insights page

insights.page.view

View the Workflows page

workflow.page.view

View the Integrations page

integration.page.view

View the Activity Log page

activity.log.page.view

View the Settings page

settings.page.view

View the Cases page (relevant only in workspaces where case management is enabled)

cases.page.view

Initiate and participate in Socrates conversations inside a case and assign Socrates to a case (relevant only in workspaces where case management is enabled)

cm.assistant.write

View Socrates conversations inside a case (relevant only in workspaces where case management is enabled)

cm.assistant.read

Initiate and participate in Socrates conversations in the Scorates page, and assign Socrates to a case (relevant only in workspaces where case management is enabled)

socrates.investigations.write

View Socrates conversations in the Socrates page (relevant only in workspaces where case management is enabled)

socrates.investigations.read

Initiate and participate in Socrates conversations (relevant only in workspaces where case management is enabled)

socrates.investigations.write

View Socrates conversations (relevant only in workspaces where case management is enabled)

socrates.investigations.read

List and view Socrates tools

tools.read

Create, update, and delete Socrates tools

tools.write

Investigate and Configure Cases (relevant only in workspaces where case management is enabled)

The Owner role includes all Auto Triage scopes by default when Auto Triage is enabled for the workspace. See Auto Triage scopes.

Interact Only role

Access Interact URLs associated with the workspace where they are designated as Interact Only users.

  • When an Interaction Flow starts in the middle of a workflow, it’s sent as a notification directly to the navigation sidebar. Only users granted access through email-based permissions will receive the sidebar notification and be able to act on it.

  • When an Interaction Flow is trigger-initiated, authorized users can access it from the sidebar or through its permanent execution URL. When it begins with a trigger, it’s accessible from the sidebar or via a permanent webpage URL.

Visible UI pages

A standalone Interaction webpage or Torq app view that includes only the Interactions configured for sidebar access.

Permissions

Permission

Scope

Access to Interact via sidebar or dedicated webpage

interaction.submit

View the workspace settings

accounts.read

View list of workspace users

user.read

Interact Only users cannot access the role assignment page (Settings > Security > Roles).

Organization Manager role

Can manage organizational resources and data.

Visible UI pages

  • Workspaces

  • Cases Dashboards

Permissions

Permission

Scope

Read account theme

accounts.read

Create/Update account theme

accounts.write

List audit logs

audit.read

View personal API keys

apikey.read

Create personal API keys

apikey.write

List and view cases

cm.case.read

View cases dashboards

dashboard.read

Create and edit cases dashboards

dashboard.write

Deprecated

incident.read

View the Settings page

settings.page.view

View list of workspace users

user.read

Manage workspace users and configure SSO

user.write

Read metrics

metrics.read

View IP access rules

security.config.read

Modify IP access rules

security.config.write

View the organization settings

organizations.read

Deactivate/Reactivate a workspace, modify configurations

organizations.write

Get organization license

get.organization.license

List Workspaces

workspace.list

Create integrations

integration.write

Create workflows

playbook.write

Create and update custom secrets

secret.write

Create workspace variables

workspace.variables.write

Share resources with other workspaces

resource.share

Organization Viewer role

Can view organization resources and metrics.

Visible UI pages

  • Workspaces

  • Cases Dashboards

Permissions

Permission

Scope

Read account theme

accounts.read

List workspaces

workspace.list

Get organization license

get.organization.license

View list of workspace users

user.read

View cases dashboards

dashboard.read

View the Settings page

settings.page.view

Read metrics

metrics.read

List audit logs

audit.read

View IP access rules

security.config.read

View the organization settings

organizations.read

List and view cases

cm.case.read

Case-management roles and scopes

Workspaces with case management enabled have additional roles, and the default roles also have additional scopes related to case management.

Cases Viewer role

The Cases Viewer role only gives users access to the Cases page, allowing them to view cases, runbooks, and observables.

Visible UI pages

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Cases Dashboards

Permissions

Permissions

Scope

View the Cases page

cases.page.view

List and view cases

cm.case.read

List and view observables

cm.observable.read

List and view runbook​

cm.runbook.read

View Socrates conversations inside cases

cm.assistant.read

View activity log data

event.read

View integration data

integration.read

View step execution data

step.read

List existing workflows

playbook.list​

View existing workflows​

playbook.get

View list of workspace users

user.read

Submit Torq interactions

interaction.submit

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

View Socrates conversations in the Socrates page

socrates.investigations.read

View dashboards (Cases Dashboards)

dashboard.read

Deprecated

incident.read

Workspace Viewer role

The Workspace Viewer role grants users view-only access to Torq, including automation and case management resources.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Activity Log

  • Insights

  • Cases Dashboards

  • Settings

Permissions

Permissions

Scope

View the Activity Log page

activity.log.page.view

View the Cases page

cases.page.view

List and view cases

cm.case.read

List and view observables

cm.observable.read

List and view runbooks

cm.runbook.read

View Socrates conversations inside cases

cm.assistant.read

View activity log data

event.read

View the Insights page

insights.page.view

View the Integrations page

integration.page.view

List and view integrations

integration.read

View custom secrets without access to their values

secret.read

Submit Torq interactions

interaction.submit

View existing workflows

playbook.get

List existing workflows

playbook.list

View the Settings page

settings.page.view

View step execution data

step.read

View the Templates page

template.page.view

View list of workspace users

user.read

View the Workflows page

workflow.page.view

View the Workspace Variables page

workspace.variables.page.view

View existing workspace variables

workspace.variables.read

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

View dashboards (Cases Dashboards)

dashboard.read

View Socrates conversations in the Socrates page

socrates.investigations.read

Cases Analyst role

The Cases Analyst role only gives users access to the Cases page and enables them to perform actions on cases but not modify case management configurations.

Visible UI pages

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Cases Dashboards

Permissions

Permissions

Scope

View the Cases page

cases.page.view

List and view cases

cm.case.read

Create and update cases, modify and create private views

cm.case.write

Delete cases

cm.case.delete

List and view observables

cm.observable.read

Create and update observables

cm.observable.write

Delete observables

cm.observable.delete

List and view runbooks

cm.runbook.read

View Socrates conversations inside cases

cm.assistant.read

Initiate and particpate in Socrates conversations inside cases

cm.assistant.write

View activity log data

event.read

View integration data

integration.read

View step execution data

step.read

List existing workflows

playbook.list

View existing workflows

playbook.get

Run workflows

playbook.execute

View list of workspace users

user.read

Submit Torq interactions

interaction.submit

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

View dashboards (Cases Dashboards)

dashboard.read

View Socrates conversations in the Socrates page

socrates.investigations.read

Initiate and participate in Socrates conversations in the Socrates page

socrates.investigations.write

Deprecated

incident.write

Deprecated

incident.read

Cases Contributor role

Cases Analyst with permissions to create and edit dashboards in Cases Dashboards.

Visible UI pages

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Cases Dashboards

Permissions

Permissions

Scope

List and view cases

cm.case.read

Create and update cases, modify and create private views

cm.case.write

Delete cases

cm.case.delete

List and view observables

cm.observable.read

Create and update observables

cm.observable.write

Delete observables

cm.observable.delete

List and view runbooks

cm.runbook.read

View Socrates conversations inside cases

cm.assistant.read

Initiate and particpate in Socrates conversations inside cases

cm.assistant.write

View activity log data

event.read

View integration data

integration.read

List existing workflows

playbook.list

View existing workflows

playbook.get

Run workflows

playbook.execute

View list of workspace users

user.read

View dashboards (Cases Dashboards)

dashboard.read

Create and edit dashboards (Cases Dashboards)

dashboard.write

View unassigned cases

strict.cases.read.attr.unassigned

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View the Cases page

cases.page.view

Execute Torq interactions

interaction.execute

Submit Torq interactions

interaction.submit

Create Torq interactions

interaction.write

View step execution data

step.read

View Socrates conversations in the Socrates page

socrates.investigations.read

Initiate and participate in Socrates conversations in the Socrates page

socrates.investigations.write

Owner role

These are the case management–specific scopes of the Owner role.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Activity Log

  • Insights

  • Cases Dashboards

  • Settings

Permissions

Permissions

Scope

View the Cases page

cases.page.view

List and view cases

cm.case.read

Create and update cases, modify and create private views

cm.case.write

Delete cases

cm.case.delete

Modify the structure/lifecycle of cases: add and remove custom fields, associate and disassociate runbooks, and create and delete quick actions

cm.case.modify

Make changes to case management configurations, create and modify public views.

cm.configuration.write

List and view observables

cm.observable.read

Create and update observables

cm.observable.write

Delete observables

cm.observable.delete

List and view runbooks

cm.runbook.read

Create and update runbooks

cm.runbook.write

View Socrates conversations inside cases

cm.assistant.read

Initiate and particpate in Socrates conversations inside cases

cm.assistant.write

Bypass case access restrictions

bypass.case.access.restriction

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

View dashboards (Cases Dashboards)

dashboard.read

Create and edit dashboards (Cases Dashboards)

dashboard.write

View Socrates conversations in the Socrates page

socrates.investigations.read

Initiate and participate in Socrates conversations in the Socrates page

socrates.investigations.write

Contributor role

These are the case management–specific scopes of the Contributor role.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Activity Log

  • Insights

  • Cases Dashboards

  • Settings

Permissions

Permissions

Scope

View the Cases page

cases.page.view

List and view cases

cm.case.read

Create and update cases, modify and create private views

cm.case.write

Delete cases

cm.case.delete

List and view observables

cm.observable.read

Create and update observables

cm.observable.write

Delete observables

cm.observable.delete

List and view runbooks

cm.runbook.read

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

View dashboards (Cases Dashboards)

dashboard.read

Create and edit dashboards (Cases Dashboards)

dashboard.write

View Socrates conversations

socrates.investigations.read

Initiate and participate in Socrates conversations

socrates.investigations.write

Creator role

These are the case management–specific scopes of the Creator role.

Visible UI pages

  • Workflows

  • Integrations

  • Workspace Variables

  • Templates

  • Cases

  • Runbooks

  • Observables

  • Socrates

  • Activity Log

  • Insights

  • Cases Dashboards

  • Settings

Permissions

Permissions

Scope

View the Cases page

cases.page.view

List and view cases

cm.case.read

Create and update cases, modify and create private views

cm.case.write

Delete cases

cm.case.delete

List and view observables

cm.observable.read

Create and update observables

cm.observable.write

Delete observables

cm.observable.delete

List and view runbooks

cm.runbook.read

View Socrates conversations inside cases

cm.assistant.read

Initiate and particpate in Socrates conversations inside cases

cm.assistant.write

View cases assigned to others

strict.cases.read.attr.assigned.to.others

View unassigned cases

strict.cases.read.attr.unassigned

View dashboards (Cases Dashboards)

dashboard.read

Create and edit dashboards (Cases Dashboards)

dashboard.write

View Socrates conversations in the Socrates page

socrates.investigations.read

Initiate and participate in Socrates conversations in the Socrates page

socrates.investigations.write

Operator role

The Operator role doesn't have access to case management.

Viewer role

The Viewer role doesn't have access to case management.

Auto Triage scopes

Workspaces with Auto Triage enabled have additional scopes. By default, the Owner role includes all Auto Triage scopes. Other roles do not have Auto Triage access by default. To grant access, create a custom role and select the relevant permissions under the Auto Triage permission group in Settings > Security > Roles.

Permission

Scope

List and view triaged alerts

triage.alert.read

View triage dashboard and metrics

triage.dashboard.read

Create and update triage context rules

triage.context.write

Delete triage context rules

triage.context.delete

View triage context rules

triage.context.read

Confirm or reject verdicts and submit feedback on alerts

triage.alert.write

Deprecated scopes

The following scopes have been deprecated:

  • incident.read

  • incident.write

  • alert.read

  • alert.write

  • file.read

  • files.read

  • files.write

  • onboarding.write

Did this answer your question?