Permissions

AgentForce permissions are simple:

• Members can use any enabled agent in the workspace
• Admins can additionally enable or disable agents from /admin/agents

There's no per-user or per-team access control on individual agents. If an agent is on for the workspace, every member can use it.

Member access

Members:

• See every enabled agent on /agentforce
• Can chat with any of them, attach files, and create threads
• Have private threads (no other user, even an admin, can read your threads)

Members cannot:

• Enable or disable agents
• See /admin/agents
• Access another user's threads

Admin access

Admins can do everything members can, plus:

• Enable / disable individual catalog agents at /admin/agents
• View workspace-level usage at /settings/workspace/usage
• Configure workspace integrations at /settings/integrations

To grant admin permissions, promote a teammate from the workspace member list.

Per-agent permissions (roadmap)

Per-agent permissions — restricting an agent to a specific team or set of users — are tracked but not yet shipped. Custom agents enable a coarser form of this: build a separate custom agent for the team's needs and use /admin/agents enable/disable to control rollout.

Action restrictions

Beyond who can use an agent, the agents themselves are restricted from taking certain actions automatically (sending email without confirmation, modifying CRM records, etc.). This isn't a permission you configure — it's baked into the catalog. See Tools and integrations for the safe-by-default boundaries.