From 60a66b658cb7e717fafb2ce5057a1c310ec9f9cc Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Fri, 17 Apr 2026 05:41:29 +0000 Subject: [PATCH] docs(TSP-1169): document member OAuth account access for dynamic auth Non-admin team members can now add their own OAuth accounts when dynamic authentication is enabled on a shared agent. Update user-level-authentication.mdx to clarify this capability in the setup section, first-time auth flow, privacy section, and a new FAQ entry. Update rbac.mdx permissions table and add a note distinguishing project-level OAuth management (admin-only) from personal OAuth for dynamic auth (all members). Co-Authored-By: Claude Sonnet 4.6 --- enterprise/rbac.mdx | 5 +++++ enterprise/user-level-authentication.mdx | 21 +++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/enterprise/rbac.mdx b/enterprise/rbac.mdx index 1f147a64..08e8ddaf 100644 --- a/enterprise/rbac.mdx +++ b/enterprise/rbac.mdx @@ -104,6 +104,7 @@ Scroll horizontally to view all columns, including the Chat role permissions. | Delete project | ✅ | ❌ | ❌ | ❌ | ❌ | | Assign project roles to users | ✅ | ❌ | ❌ | ❌ | ❌ | | Manage project-level API keys & OAuths | ✅ | ❌ | ❌ | ❌ | ❌ | +| Add personal OAuth accounts (dynamic auth) | ✅ | ✅ | ✅ | ✅ | ✅ | | Delete agents | ✅ | ✅ | ❌ | ❌ | ❌ | | View all assets by default | ✅ | ✅ | ❌ | ❌ | ❌ | | Edit/run assets they did not create | ✅ | ✅ | ❌ | ❌ | ❌ | @@ -114,6 +115,10 @@ Scroll horizontally to view all columns, including the Chat role permissions. | Run a chat (LLM) | ✅ | ✅ | ✅ | ✅ | ✅ | + +"Manage project-level API keys & OAuths" refers to shared, project-wide accounts only. All team members can add their own personal OAuth accounts when [dynamic authentication](/enterprise/user-level-authentication) is enabled on a shared agent — this is not restricted to admins. + + ### Chat Role Details diff --git a/enterprise/user-level-authentication.mdx b/enterprise/user-level-authentication.mdx index 025a04ac..e3d1d5df 100644 --- a/enterprise/user-level-authentication.mdx +++ b/enterprise/user-level-authentication.mdx @@ -107,6 +107,10 @@ When this is enabled, any agent using this tool will require each user to authen If you have [asset-level authentication controls](/enterprise/rbac#permissions) enabled through RBAC, users can also choose from project-level shared accounts instead of authorizing their individual accounts. + +When dynamic authentication is enabled on a shared agent, all team members — not just admins — can add their own OAuth accounts. Members can only manage their own private accounts and cannot view or modify project-level shared accounts, which remain admin-managed. + + ## User experience in Chat When users interact with an agent in Chat that has User Level Authentication enabled, the authentication flow is seamless and intuitive. @@ -117,11 +121,14 @@ When users interact with an agent in Chat that has User Level Authentication ena ### First-time authentication -When a user runs an agent that requires User Level Authentication for the first time: +All team members — not just admins — will see the authentication prompt when using an agent with dynamic authentication enabled for the first time. + +1. When you run an agent that requires User Level Authentication for the first time, a pop-up appears with the guidance "Connect your account to use this tool." +2. Click the 'Select connected account' dropdown to choose an account. If your project has shared accounts available, they appear here alongside your personal options. +3. To connect your own account, click 'Add account' to start the OAuth login flow for that integration. +4. Follow the on-screen steps to log in. Your credentials are saved automatically for future runs. -1. If you call an Agent that requires User Level Authentication for the first time, you will see a pop up appear when you need to connect an account. -2. To do this, click the 'Select connected account' dropdown, and choose a shared account from here, or add your own private account. -3. Then, click 'Add account' to continue onto your account log in, and follow the next steps to log into your account on the integration you're connecting to. +Members can only add and manage their own private accounts. Project-level shared accounts are managed by project admins and cannot be modified by members. ### Subsequent uses @@ -152,6 +159,8 @@ Integration defaults pre-populate when you create new assets or use assets for t ### Privacy and account visibility +All team members — not just admins — can add their own OAuth accounts when dynamic authentication is enabled on an agent. Members can connect their own private credentials without needing admin intervention, and can only see and manage their own private accounts. They cannot view or modify project-level shared accounts. + To protect privacy and security: - **Private accounts are hidden** - Your personal accounts won't be visible to other users @@ -193,4 +202,8 @@ To protect privacy and security: No. User Level Authentication only supports OAuth-based integrations. If your integration uses API key authentication, Python code steps, or custom API calls with bearer tokens, you'll need to use a shared account instead. Only integrations that use OAuth to connect user accounts (like Google Sheets, Slack, HubSpot, Notion, etc.) are compatible with User Level Authentication. + + + Yes. When dynamic authentication is enabled on a shared agent, all team members can add their own OAuth accounts — this is not limited to admins. Members see an "Add account" button with the guidance "Connect your account to use this tool." Members can only manage their own private accounts; they cannot view or modify project-level shared accounts, which remain admin-managed. +