Overview
Users access platform areas and actions based on their assigned roles, known as role-based access control (RBAC). RBAC settings are unique to each workspace — a user assigned to multiple workspaces can have a different role in each.
To manage user roles, go to Settings > Users. To create and manage custom roles, go to Settings > Security > Roles.
Preset roles
Torq offers the following preset roles:
Viewer: View-only access to the workspace.
Operator: Operational access without full creation rights.
Creator: Can create workflows and integrations.
Contributor: Creation and moderate management capabilities.
Owner: Full control over the workspace's assets and settings.
Interact Only: Access exclusively to Torq Interact, via the navigation sidebar or a direct URL.
The following roles are available in workspaces with case management enabled:
Cases Viewer: View-only access to case management.
Workspace Viewer: View-only access to the workspace, including automation and case management.
Cases Analyst: Work on cases without access to configuration settings.
Cases Contributor: Cases Analyst with permissions to create and edit dashboards in Cases Dashboards.
Organization-managed vs. workspace-managed roles
Custom roles in Torq can be managed at two levels:
Workspace roles: Created and managed within a single workspace. Only available in that workspace.
Organization-managed roles: Created centrally at the organization level and automatically available across all workspaces. Role IDs are consistent across workspaces, enabling shared workflows and integrations to work without conflicts.
Use org-managed roles for standard, repeatable access patterns. Use workspace roles only when local customization is needed.
In Settings > Security > Roles, each role is labeled by scope, Org-managed or Workspace, so you can tell at a glance where it's managed. Org-managed roles can be viewed and duplicated from a workspace but not edited locally. Any changes made at the org level are automatically reflected across all workspaces.
For details on assigning org-managed roles to users or mapping them via SSO, see Organization-managed Roles: Centralize Access Across Workspaces.
How to use
Create custom roles
You can create custom roles tailored to your organization's needs in two ways: via Settings or via workflow steps.
Create a role via Settings
Navigate: Go to Settings > Security > Roles.
Add a role: Click Create.
Name the role: Enter a unique and meaningful name and description.
Set permissions: Select the activities users with this role can perform. For each Torq page you want the role to access, go to UI Access and enable the relevant page (e.g., enable View the Workflows page to allow users to add steps to workflows).
Save: Click Save.
Default roles cannot be edited or deleted, but can be duplicated as templates. Click the three-dot (...) menu and select Duplicate. Custom roles can be edited, duplicated, and deleted; they can only be deleted when not assigned to any user.
Create a role via steps
Open a workflow: Go to Build > Workflows and create or open a workflow.
Find the steps: In the Toolbox, search
role torqto find steps for creating, listing, updating, and deleting roles.Configure the step: When using the Create Role or Update Role step, list the desired scopes in the Scope names parameter.
Set the API key: The integration instance used must have a Torq service API key with the Owner role.
To view step execution logs, ensure the custom role has the Secrets Management > View custom secrets without access to their values permission.
For additional assistance with custom role creation, contact Torq support.
Scopes
Viewer role
View-only access to Torq.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Activity Log
Insights
Cases Dashboards
Settings
Permissions
Permission | Scope |
View existing workflows | playbook.get |
List existing workflows | playbook.list |
View activity log data | event.read |
View integration data | integration.read |
View custom secrets without access to their values | secret.read |
View step execution data | step.read |
View existing workspace variables | workspace.variables.read |
Submit Torq interactions | interaction.submit |
View the Templates page | template.page.view |
View the Workspace Variables page | workspace.variables.page.view |
View the Insights page | insights.page.view |
View dashboards (Cases Dashboards) | dashboard.read |
View the Workflows page | workflow.page.view |
View the Integrations page | integration.page.view |
View the Activity Log page | activity.log.page.view |
View the Settings page | settings.page.view |
View Socrates conversations in the Socrates page (relevant only in workspaces where case management is enabled) | socrates.investigations.read |
Operator role
Viewer + trigger workflows.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Activity Log
Insights
Settings
Permissions
Permission | Scope |
View existing workflows | playbook.get |
List existing workflows | playbook.list |
Run workflows | playbook.execute |
View step execution data | step.read |
Run steps | step.execute |
View activity log data | event.read |
View integration data | integration.read |
View custom secrets without access to their values | secret.read |
Execute the Torq step Send Email | email.send |
View existing workspace variables | workspace.variables.read |
Create Torq interactions | interaction.write |
Submit Torq interactions | interaction.submit |
View the Templates page | template.page.view |
View the Workspace Variables page | workspace.variables.page.view |
View the Insights page | insights.page.view |
View the Workflows page | workflow.page.view |
View the Integrations page | integration.page.view |
View the Activity Log page | activity.log.page.view |
View the Settings page | settings.page.view |
Creator role
Operator + create and modify workflows and integrations.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Cases
Runbooks
Observables
Socrates
Activity Log
Insights
Cases Dashboards
Settings
Permissions
Permission | Scope |
View existing workflows | playbook.get |
List existing workflows | playbook.list |
Run workflows | playbook.execute |
Create workflows | playbook.write |
View step execution data | step.read |
Add steps to workflows | step.write |
Run steps | step.execute |
View integration data | integration.read |
Create integrations | integration.write |
View private and service API keys | apikey.read |
Create private API keys | apikey.write |
View workspace members list | user.read |
View activity log data | event.read |
View custom secrets without access to their values | secret.read |
Create and update custom secrets | secret.write |
View existing workspace variables | workspace.variables.read |
Create workspace variables | workspace.variables.write |
Create Torq interactions | interaction.write |
Submit Torq interactions | interaction.submit |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
View dashboards (Cases Dashboards) | dashboard.read |
Create and edit dashboards (Cases Dashboards) | dashboard.write |
View the Templates page | template.page.view |
View the Workspace Variables page | workspace.variables.page.view |
View the Insights page | insights.page.view |
View the Workflows page | workflow.page.view |
View the Integrations page | integration.page.view |
View the Activity Log page | activity.log.page.view |
View the Settings page | settings.page.view |
View the Cases page (relevant only in workspaces where case management is enabled) | cases.page.view |
Initiate and participate in Socrates conversations inside a case and assign Socrates to a case (relevant only in workspaces where case management is enabled) | cm.assistant.write |
View Socrates conversations inside a case (relevant only in workspaces where case management is enabled) | cm.assistant.read
|
Initiate and participate in Socrates conversations in the Socrates page, and assign Socrates to a case (relevant only in workspaces where case management is enabled) | socrates.investigations.write |
View Socrates conversations in the Socrates page (relevant only in workspaces where case management is enabled) | socrates.investigations.read |
Investigate cases (relevant only in workspaces where case management is enabled) |
Contributor role
Creator + publish workflows.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Cases
Runbooks
Observables
Socrates
Activity Log
Insights
Cases Dashboards
Settings
Permissions
Permission | Scope |
View existing workflows | playbook.get |
List existing workflows | playbook.list |
Run workflows | playbook.execute |
Create workflows | playbook.write |
View step execution data | step.read |
Add steps to workflows | step.write |
Run steps | step.execute |
Publish workflows | playbook.publish |
View integration data | integration.read |
Create integrations | integration.write |
View private and service API keys | apikey.read |
Create private API keys | apikey.write |
View list of users on the workspace | user.read |
View activity log data | event.read |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
Execute the Torq step Send Email | email.send |
View dashboards (Cases Dashboards) | dashboard.read |
Create and edit dashboards (Cases Dashboards) | dashboard.write |
Create and update cases | case.write |
View custom secrets without access to their values | secret.read |
Create and update custom secrets | secret.write |
View existing workspace variables | workspace.variables.read |
Create workspace variables | workspace.variables.write |
Create Torq interactions | interaction.write |
Submit Torq interactions | interaction.submit |
View the Templates page | template.page.view |
View the Workspace Variables page | workspace.variables.page.view |
View the Insights page | insights.page.view |
View the Workflows page | workflow.page.view |
View the Integrations page | integration.page.view |
View the Activity Log page | activity.log.page.view |
View the Settings page | settings.page.view |
View the Cases page (relevant only in workspaces where case management is enabled) | cases.page.view |
Initiate and participate in Socrates conversations inside a case and assign Socrates to a case (relevant only in workspaces where case management is enabled) | cm.assistant.write |
View Socrates conversations inside a case (relevant only in workspaces where case management is enabled) | cm.assistant.read
|
Initiate and participate in Socrates conversations in the Socrates page, and assign Socrates to a case (relevant only in workspaces where case management is enabled) | socrates.investigations.write |
View Socrates conversations in the Socrates page (relevant only in workspaces where case management is enabled) | socrates.investigations.read |
Investigate cases (relevant only in workspaces where case management is enabled) |
Owner role
Contributor + manage users and SSO.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Cases
Auto Triage
Runbooks
Observables
Socrates
Activity Log
Insights
Cases Dashboards
Settings
Permissions
Permission | Scope |
View existing workflows | playbook.get |
List existing workflows | playbook.list |
Run workflows | playbook.execute |
Create workflows | playbook.write |
Publish workflows | playbook.publish |
View step execution data | step.read |
Add steps to workflows | step.write |
Run steps | step.execute |
View integration data | integration.read |
Create integrations | integration.write |
View private and service API keys | apikey.read |
Create private API keys | apikey.write |
View list of users on the workspace | user.read |
Manage workspace users and configure SSO | user.write |
Create support tickets | support.write |
Execute the Torq step Send Email | email.send |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
View dashboards (Cases Dashboards) | dashboards.read |
Create and edit dashboards (Cases Dashboards) | dashboards.write |
View IP access rules | ip.access.rule.read |
Modify IP access rules | ip.access.rule.write |
List audit logs | audit.read |
View activity log data | event.read |
View custom secrets without access to their values | secret.read |
Create and update custom secrets | secret.write |
View existing workspace variables | workspace.variables.read |
Create workspace variables | workspace.variables.write |
View the organization settings | organizations.read |
View the workspace settings | accounts.read |
Modify the workspace settings | accounts.write |
Share resources with other workspaces | resource.share |
Create Torq interactions | interaction.write |
Submit Torq interactions | interaction.submit |
View the Templates page | template.page.view |
View the Workspace Variables page | workspace.variables.page.view |
View the Insights page | insights.page.view |
View the Workflows page | workflow.page.view |
View the Integrations page | integration.page.view |
View the Activity Log page | activity.log.page.view |
View the Settings page | settings.page.view |
View the Cases page (relevant only in workspaces where case management is enabled) | cases.page.view |
Initiate and participate in Socrates conversations inside a case and assign Socrates to a case (relevant only in workspaces where case management is enabled) | cm.assistant.write |
View Socrates conversations inside a case (relevant only in workspaces where case management is enabled) | cm.assistant.read
|
Initiate and participate in Socrates conversations in the Scorates page, and assign Socrates to a case (relevant only in workspaces where case management is enabled) | socrates.investigations.write |
View Socrates conversations in the Socrates page (relevant only in workspaces where case management is enabled) | socrates.investigations.read |
Initiate and participate in Socrates conversations (relevant only in workspaces where case management is enabled) | socrates.investigations.write |
View Socrates conversations (relevant only in workspaces where case management is enabled) | socrates.investigations.read |
List and view Socrates tools | tools.read |
Create, update, and delete Socrates tools | tools.write |
Investigate and Configure Cases (relevant only in workspaces where case management is enabled) |
The Owner role includes all Auto Triage scopes by default when Auto Triage is enabled for the workspace. See Auto Triage scopes.
Interact Only role
Access Interact URLs associated with the workspace where they are designated as Interact Only users.
When an Interaction Flow starts in the middle of a workflow, it’s sent as a notification directly to the navigation sidebar. Only users granted access through email-based permissions will receive the sidebar notification and be able to act on it.
When an Interaction Flow is trigger-initiated, authorized users can access it from the sidebar or through its permanent execution URL. When it begins with a trigger, it’s accessible from the sidebar or via a permanent webpage URL.
Visible UI pages
A standalone Interaction webpage or Torq app view that includes only the Interactions configured for sidebar access.
Permissions
Permission | Scope |
Access to Interact via sidebar or dedicated webpage | interaction.submit |
View the workspace settings | accounts.read |
View list of workspace users | user.read |
Interact Only users cannot access the role assignment page (Settings > Security > Roles).
Organization Manager role
Can manage organizational resources and data.
Visible UI pages
Workspaces
Cases Dashboards
Permissions
Permission | Scope |
Read account theme | accounts.read |
Create/Update account theme | accounts.write |
List audit logs | audit.read |
View personal API keys | apikey.read |
Create personal API keys | apikey.write |
List and view cases | cm.case.read |
View cases dashboards | dashboard.read |
Create and edit cases dashboards | dashboard.write |
Deprecated | incident.read |
View the Settings page | settings.page.view |
View list of workspace users | user.read |
Manage workspace users and configure SSO | user.write |
Read metrics | metrics.read |
View IP access rules | security.config.read |
Modify IP access rules | security.config.write |
View the organization settings | organizations.read |
Deactivate/Reactivate a workspace, modify configurations | organizations.write |
Get organization license | get.organization.license |
List Workspaces | workspace.list |
Create integrations | integration.write |
Create workflows | playbook.write |
Create and update custom secrets | secret.write |
Create workspace variables | workspace.variables.write |
Share resources with other workspaces | resource.share |
Organization Viewer role
Can view organization resources and metrics.
Visible UI pages
Workspaces
Cases Dashboards
Permissions
Permission | Scope |
Read account theme | accounts.read |
List workspaces | workspace.list |
Get organization license | get.organization.license |
View list of workspace users | user.read |
View cases dashboards | dashboard.read |
View the Settings page | settings.page.view |
Read metrics | metrics.read |
List audit logs | audit.read |
View IP access rules | security.config.read |
View the organization settings | organizations.read |
List and view cases | cm.case.read |
Case-management roles and scopes
Workspaces with case management enabled have additional roles, and the default roles also have additional scopes related to case management.
Cases Viewer role
The Cases Viewer role only gives users access to the Cases page, allowing them to view cases, runbooks, and observables.
Visible UI pages
Cases
Runbooks
Observables
Socrates
Cases Dashboards
Permissions
Permissions | Scope |
View the Cases page | cases.page.view |
List and view cases | cm.case.read |
List and view observables | cm.observable.read |
List and view runbook | cm.runbook.read |
View Socrates conversations inside cases | cm.assistant.read |
View activity log data | event.read |
View integration data | integration.read |
View step execution data | step.read |
List existing workflows | playbook.list |
View existing workflows | playbook.get |
View list of workspace users | user.read |
Submit Torq interactions | interaction.submit |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
View Socrates conversations in the Socrates page | socrates.investigations.read |
View dashboards (Cases Dashboards) | dashboard.read |
Deprecated | incident.read |
Workspace Viewer role
The Workspace Viewer role grants users view-only access to Torq, including automation and case management resources.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Cases
Runbooks
Observables
Socrates
Activity Log
Insights
Cases Dashboards
Settings
Permissions
Permissions | Scope |
View the Activity Log page | activity.log.page.view |
View the Cases page | cases.page.view |
List and view cases | cm.case.read |
List and view observables | cm.observable.read |
List and view runbooks | cm.runbook.read |
View Socrates conversations inside cases | cm.assistant.read |
View activity log data | event.read |
View the Insights page | insights.page.view |
View the Integrations page | integration.page.view |
List and view integrations | integration.read |
View custom secrets without access to their values | secret.read |
Submit Torq interactions | interaction.submit |
View existing workflows | playbook.get |
List existing workflows | playbook.list |
View the Settings page | settings.page.view |
View step execution data | step.read |
View the Templates page | template.page.view |
View list of workspace users | user.read |
View the Workflows page | workflow.page.view |
View the Workspace Variables page | workspace.variables.page.view |
View existing workspace variables | workspace.variables.read |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
View dashboards (Cases Dashboards) | dashboard.read |
View Socrates conversations in the Socrates page | socrates.investigations.read |
Cases Analyst role
The Cases Analyst role only gives users access to the Cases page and enables them to perform actions on cases but not modify case management configurations.
Visible UI pages
Cases
Runbooks
Observables
Socrates
Cases Dashboards
Permissions
Permissions | Scope |
View the Cases page | cases.page.view |
List and view cases | cm.case.read |
Create and update cases, modify and create private views | cm.case.write |
Delete cases | cm.case.delete |
List and view observables | cm.observable.read |
Create and update observables | cm.observable.write |
Delete observables | cm.observable.delete |
List and view runbooks | cm.runbook.read |
View Socrates conversations inside cases | cm.assistant.read |
Initiate and particpate in Socrates conversations inside cases | cm.assistant.write |
View activity log data | event.read |
View integration data | integration.read |
View step execution data | step.read |
List existing workflows | playbook.list |
View existing workflows | playbook.get |
Run workflows | playbook.execute |
View list of workspace users | user.read |
Submit Torq interactions | interaction.submit |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
View dashboards (Cases Dashboards) | dashboard.read |
View Socrates conversations in the Socrates page | socrates.investigations.read |
Initiate and participate in Socrates conversations in the Socrates page | socrates.investigations.write |
Deprecated | incident.write |
Deprecated | incident.read |
Cases Contributor role
Cases Analyst with permissions to create and edit dashboards in Cases Dashboards.
Visible UI pages
Cases
Runbooks
Observables
Socrates
Cases Dashboards
Permissions
Permissions | Scope |
List and view cases | cm.case.read |
Create and update cases, modify and create private views | cm.case.write |
Delete cases | cm.case.delete |
List and view observables | cm.observable.read |
Create and update observables | cm.observable.write |
Delete observables | cm.observable.delete |
List and view runbooks | cm.runbook.read |
View Socrates conversations inside cases | cm.assistant.read |
Initiate and particpate in Socrates conversations inside cases | cm.assistant.write |
View activity log data | event.read |
View integration data | integration.read |
List existing workflows | playbook.list |
View existing workflows | playbook.get |
Run workflows | playbook.execute |
View list of workspace users | user.read |
View dashboards (Cases Dashboards) | dashboard.read |
Create and edit dashboards (Cases Dashboards) | dashboard.write |
View unassigned cases | strict.cases.read.attr.unassigned |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View the Cases page | cases.page.view |
Execute Torq interactions | interaction.execute |
Submit Torq interactions | interaction.submit |
Create Torq interactions | interaction.write |
View step execution data | step.read |
View Socrates conversations in the Socrates page | socrates.investigations.read |
Initiate and participate in Socrates conversations in the Socrates page | socrates.investigations.write |
Owner role
These are the case management–specific scopes of the Owner role.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Cases
Runbooks
Observables
Socrates
Activity Log
Insights
Cases Dashboards
Settings
Permissions
Permissions | Scope |
View the Cases page | cases.page.view |
List and view cases | cm.case.read |
Create and update cases, modify and create private views | cm.case.write |
Delete cases | cm.case.delete |
Modify the structure/lifecycle of cases: add and remove custom fields, associate and disassociate runbooks, and create and delete quick actions | cm.case.modify |
Make changes to case management configurations, create and modify public views. | cm.configuration.write |
List and view observables | cm.observable.read |
Create and update observables | cm.observable.write |
Delete observables | cm.observable.delete |
List and view runbooks | cm.runbook.read |
Create and update runbooks | cm.runbook.write |
View Socrates conversations inside cases | cm.assistant.read |
Initiate and particpate in Socrates conversations inside cases | cm.assistant.write |
Bypass case access restrictions | bypass.case.access.restriction |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
View dashboards (Cases Dashboards) | dashboard.read |
Create and edit dashboards (Cases Dashboards) | dashboard.write |
View Socrates conversations in the Socrates page | socrates.investigations.read |
Initiate and participate in Socrates conversations in the Socrates page | socrates.investigations.write |
Contributor role
These are the case management–specific scopes of the Contributor role.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Cases
Runbooks
Observables
Socrates
Activity Log
Insights
Cases Dashboards
Settings
Permissions
Permissions | Scope |
View the Cases page | cases.page.view |
List and view cases | cm.case.read |
Create and update cases, modify and create private views | cm.case.write |
Delete cases | cm.case.delete |
List and view observables | cm.observable.read |
Create and update observables | cm.observable.write |
Delete observables | cm.observable.delete |
List and view runbooks | cm.runbook.read |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
View dashboards (Cases Dashboards) | dashboard.read |
Create and edit dashboards (Cases Dashboards) | dashboard.write |
View Socrates conversations | socrates.investigations.read |
Initiate and participate in Socrates conversations | socrates.investigations.write |
Creator role
These are the case management–specific scopes of the Creator role.
Visible UI pages
Workflows
Integrations
Workspace Variables
Templates
Cases
Runbooks
Observables
Socrates
Activity Log
Insights
Cases Dashboards
Settings
Permissions
Permissions | Scope |
View the Cases page | cases.page.view |
List and view cases | cm.case.read |
Create and update cases, modify and create private views | cm.case.write |
Delete cases | cm.case.delete |
List and view observables | cm.observable.read |
Create and update observables | cm.observable.write |
Delete observables | cm.observable.delete |
List and view runbooks | cm.runbook.read |
View Socrates conversations inside cases | cm.assistant.read |
Initiate and particpate in Socrates conversations inside cases | cm.assistant.write |
View cases assigned to others | strict.cases.read.attr.assigned.to.others |
View unassigned cases | strict.cases.read.attr.unassigned |
View dashboards (Cases Dashboards) | dashboard.read |
Create and edit dashboards (Cases Dashboards) | dashboard.write |
View Socrates conversations in the Socrates page | socrates.investigations.read |
Initiate and participate in Socrates conversations in the Socrates page | socrates.investigations.write |
Operator role
The Operator role doesn't have access to case management.
Viewer role
The Viewer role doesn't have access to case management.
Auto Triage scopes
Workspaces with Auto Triage enabled have additional scopes. By default, the Owner role includes all Auto Triage scopes. Other roles do not have Auto Triage access by default. To grant access, create a custom role and select the relevant permissions under the Auto Triage permission group in Settings > Security > Roles.
Permission | Scope |
List and view triaged alerts |
|
View triage dashboard and metrics |
|
Create and update triage context rules |
|
Delete triage context rules |
|
View triage context rules |
|
Confirm or reject verdicts and submit feedback on alerts |
|
Deprecated scopes
The following scopes have been deprecated:
incident.read
incident.write
alert.read
alert.write
file.read
files.read
files.write
onboarding.write


