Global, automation and scope admins
Global admins
Global admins are the people who can manage the workspace as a whole. They include:- Native Slack admins
- Slack workspace owners and primary owners
- Users with the CodeRabbit
cr_adminoverride
Automation admins
Automation admins are CodeRabbit Agent users who can help manage automations without receiving full workspace-admin access. Workspace admins assign this role from Workspace Users. When Automation admin management is enabled, Automation admins can view automation admin surfaces and manage same-workspace automations. Any linked workspace user can create automations, but Automation admins can manage more than their own created automations when this setting is enabled. They cannot manage the full workspace, reset workspace connections, manage users, or administer scopes unless they also have another role that grants those permissions.Scope admins
admins can manage only the scopes assigned to them. They can tune repositories, connections, spend settings, and channel targeting for those scopes, but they cannot manage the full workspace or admin-only web surfaces such as Automations, Sandboxes, or workspace user management.Scope admins cannot edit the Base Scope. The Base Scope remains reserved for global admins, although scope admins can still view it in read-only mode.
What each role can do
Global admins have full access to all workspace actions and settings. Every action listed in the table below is always available to global admins regardless of any other configuration.
Account Settings and account removal
The Account Settings page is visible only to workspace (global) admins. Account Settings includes workspace-wide controls such as resetting the GitHub connection and permanently removing the CodeRabbit Agent account.Only workspace admins can access the Danger Zone controls in Account Settings, including Delete account. If you need to remove the account, sign in as a workspace admin before opening that page.
Workspace activity visibility
Usage visibility is role-aware.Knowledge Base privacy
Knowledge follows Slack privacy boundaries.
Private knowledge can reference shared knowledge, but it should not be silently treated as shared workspace memory.
Shared sandbox access
CodeRabbit Agent currently uses a shared workspace sandbox model rather than a private sandbox for every individual user. That makes workspace governance important:- Configuration changes affect the workspace environment
- Saved state can be reused across runs
- Admins should be deliberate about who can manage sandbox settings
Good rollout practices
- Keep the Base Scope conservative at first
- Delegate scopes only where needed
- Review usage visibility before wider rollout
- Treat private channels and DM knowledge as materially different from shared workspace memory
Whatโs next
Slack permissions
Review the Slack app and OAuth permissions CodeRabbit Agent requests and why they are needed.
Usage
See what activity global admins, scope admins, and other members can inspect after rollout.
Sandboxes
Understand the shared sandbox model and how workspace-level execution state is managed.