Skip to content
LearnStrategy

AI Agents for Teams: Roles, Permissions, and Collaboration

Learn how to share AI agent access across your team safely with roles, permissions, personal keys, and workspace keys.

AI Isn't Just for Solo Users

When you're the only person using an AI agent, things are simple. You connect your integrations, set your permissions, and start asking questions. But when your whole team needs access, new questions come up.

Who should be able to use the Stripe integration? Should the marketing team have access to customer data? What if a team member leaves -- how do you revoke their access?

Pipeworks is built for teams from the ground up. This guide explains how to share AI agent access across your organization safely and efficiently.

Understanding Roles

Every team member in Pipeworks is assigned a role that determines what they can do. There are three levels:

Owner

The owner has full control over everything. They can connect and disconnect integrations, manage team members, change settings, and access all tools across all integrations. Every Pipeworks workspace has at least one owner.

Typical role for: Business owner, CEO, CTO, or the primary person responsible for the AI setup.

Admin

Admins have nearly the same level of access as owners. They can use all integrations, manage most settings, and invite or remove team members. The main difference is that only owners can promote other users to admin or owner roles.

Typical role for: Department heads, operations managers, trusted senior team members.

Member

Members have the most restricted access. They can only use the specific integrations they've been assigned. They can't connect new integrations, change settings, or see integrations they haven't been given access to.

Typical role for: Individual contributors, contractors, junior team members, anyone who needs access to specific tools without full control.

Info

Start by making yourself the owner and adding key decision-makers as admins. Everyone else should start as members with access only to the integrations they need.

Access Keys: Personal vs. Workspace

Most AI assistants connect to Pipeworks via OAuth -- just paste your URL and sign in. Access keys are the alternative for programmatic access, backend automations, and agents that don't support OAuth. There are two types, and understanding the difference is important for team setups.

Personal Keys

Every team member can generate their own personal access key. This key gives them access to the integrations they've been assigned (or all integrations, if they're an owner or admin).

Personal keys are tied to a specific user. When that person leaves the team, you remove their account, and their key stops working immediately. Activity logs show which user performed each action, so you always have accountability.

Best for: Individual team members who need their own AI agent connection.

Workspace Keys

Workspace keys are shared keys that aren't tied to a specific person. They provide access to all integrations in the workspace. Only owners and admins can create and manage workspace keys.

Workspace keys are useful for shared systems -- like a team chatbot or an automated workflow that runs on behalf of the whole organization rather than a single person.

Best for: Shared automations, team-wide chatbots, or systems where multiple people use the same connection.

Warning

Workspace keys give broad access, so use them carefully. For most team setups, personal keys are the safer choice because they provide individual accountability and can be revoked independently.

Controlling What Each Person Can Access

Roles determine what a team member can manage. But for members specifically, you also control which integrations they can use.

Assigning Integrations to Members

When you add a team member as a member, they don't automatically have access to anything. You explicitly assign them to the integrations they need.

For example:

  • Your sales team gets access to Salesforce and email
  • Your finance team gets access to Stripe
  • Your marketing team gets access to analytics and email

This way, each person only has the tools relevant to their job.

S
Salesforce
20 tools · AI-powered CRM operations at scale
S
Stripe
50 tools · Automate payments, invoices, and revenue ops
M
Microsoft Outlook
29 tools · Email and calendar management for AI agents

Tool Profiles

Beyond choosing which integrations a team member can access, you can also control what they can do within each integration using tool profiles:

  • Read-only -- The team member's agent can look up information but can't make changes. Good for reporting and analysis roles.
  • No-delete -- The agent can read and create or update records but can't delete anything. Good for most day-to-day work.
  • Full access -- The agent can do everything, including deleting records. Reserve this for people who genuinely need it.

You can also disable individual tools within an integration. If you want someone to be able to look up customers in Stripe but not process refunds, you can set that up.

Setting Up Your Team: A Practical Example

Let's walk through a realistic team setup for a mid-sized company:

The Owner (You)

  • Role: Owner
  • Access: All integrations, all tools
  • Key: Personal key

Head of Operations

  • Role: Admin
  • Access: All integrations, all tools
  • Key: Personal key

Sales Rep

  • Role: Member
  • Assigned integrations: Salesforce (full access), SendGrid (read + write)
  • Key: Personal key

Marketing Analyst

  • Role: Member
  • Assigned integrations: Google Analytics (read-only), Google Ads (read-only)
  • Key: Personal key

Finance Manager

  • Role: Member
  • Assigned integrations: Stripe (read + write, no delete)
  • Key: Personal key

Shared Customer Support Bot

  • Not tied to a user
  • Key: Workspace key
  • Access: Salesforce (read-only), email (read + write)
Tip

When in doubt, give less access and expand later. It's much easier to add permissions than to deal with the consequences of someone having access they shouldn't.

When Someone Leaves the Team

One of the biggest advantages of a proper team setup is clean offboarding. When a team member leaves:

  1. Remove them from Pipeworks
  2. Their personal key is immediately invalidated
  3. No other team members are affected
  4. All their past activity is preserved in logs for accountability

If they were the only user of a workspace key, you should regenerate that key. But if you've set everyone up with personal keys (recommended), removing the person is all you need to do.

Scaling Safely

As your team grows, keep these principles in mind:

Default to member role. Only promote people to admin when they genuinely need to manage integrations or team settings.

Use personal keys over workspace keys. They provide better accountability and cleaner offboarding.

Review access quarterly. As people change roles or leave, make sure their integration access still matches their responsibilities.

Start integrations in read-only mode for new members. Let people get familiar with the tools before enabling write access.

Document your setup. Keep a simple record of who has access to what. It makes auditing and troubleshooting much easier.

Info

Every action taken through Pipeworks is logged with the user who performed it. This audit trail is essential for teams -- you always know who did what and when.

Getting Started

Start by inviting your first team member. Assign them a role, give them access to one integration, and let them try it out. Once you see how the permissions work in practice, expanding to your full team is straightforward.

Related

Learn
Is AI Safe for My Business?
Understand the real risks of using AI in your business and how modern platforms protect your data, credentials, and customer information.
Learn
What Is an AI Agent?
Learn what AI agents are, how they differ from chatbots, and how they use tools to take real actions in your business systems.

Ready to try it?

Connect your AI agent to real tools in under five minutes.

Get Started