User roles
Every Onyx user is assigned one of five roles. Role changes are admin-only and take effect immediately.Admin
Admin
Full access to all admin functionality. Admins can manage users, connectors, credentials, groups, assistants, and system settings across the entire deployment. There must always be at least one active Admin in the system.
Global Curator
Global Curator
Can perform connector and document management actions for all groups they are a member of, without needing to be the designated Curator of each group. They cannot change user roles or access system-level settings.
Curator
Curator
Can manage connectors and documents within the specific groups where they hold Curator status. Curators are assigned per-group by Admins. Outside their assigned groups, they have the same access as a Basic user.
Basic
Basic
Standard user. Can search, chat, and use assistants they have visibility into. Cannot perform any admin actions.
Limited
Limited
Restricted access to a subset of API endpoints. Useful for service accounts or read-only integrations that should not interact with the full platform surface.
Slack users (
slack_user) and externally permissioned users (ext_perm_user) are system-managed roles assigned automatically. They do not have a web login and cannot be manually assigned.Inviting users
Onyx supports three ways to bring users onto the platform:- Email invite
- Domain allowlist
- Open registration
Send invitation emails directly from the Admin panel.
Invite by email
Enter one or more email addresses in the invite field and click Invite. Each address receives an email with a link to complete registration.
Managing users
The Users page in the Admin panel lists all accepted users, pending invites, and Slack users. You can filter by role, status, and email.Changing a user’s role
Deactivating and reactivating users
Deactivating a user blocks their access without deleting their data or history.- Deactivate: Find the user → click Deactivate. The user’s sessions are invalidated and they cannot log in.
- Reactivate: Find the deactivated user → click Activate. The user can log in again immediately.
A user must be deactivated before they can be permanently deleted.
Deleting a user
Permanently removes the user account. This action cannot be undone.Removing a pending invite
To cancel an invitation before the user accepts it, go to the Invited tab and click Remove next to the email address.Exporting users
Download a CSV of all users (email, role, and status) from the Users page using the Download CSV button.Groups and teams
Groups let you organize users and restrict which connectors, documents, and assistants each set of users can access.Add users
Open the group and use the Add Users panel to select users by email. Users can belong to multiple groups.
Assign a Curator (optional)
Within a group, you can designate one or more members as Curators. Curators can manage connectors and documents scoped to that group. Click Set Curator next to a user’s name.
SCIM provisioning (Enterprise Edition)
Enterprise Edition deployments can automate user lifecycle management using SCIM 2.0. With SCIM enabled, your identity provider (e.g. Okta, Azure AD, Google Workspace) automatically provisions and deprovisions users and syncs group memberships into Onyx. To configure SCIM, navigate to Admin panel → SCIM and generate a SCIM bearer token to provide to your identity provider. Users and groups managed via SCIM are marked as synced in the user list and cannot be manually edited.User usage limits
Onyx enforces seat limits to match your license tier. When a seat limit is in effect:- Inviting new users checks available seats before the invite is recorded.
- Reactivating a deactivated user checks available seats before the account is re-enabled.
- The Admin panel displays the current seat count so you can track usage.
Trial tenants have a cap on the total number of email invites that can be sent. Upgrade to a paid plan to remove this restriction.