> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cassidyai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Migrate to custom roles

> Move from legacy group permissions to custom roles while preserving team access and cleaning up generated roles afterward.

Some Cassidy workspaces used groups for both visibility and permissions. Cassidy now separates those jobs: [roles](/settings/roles-and-groups) control what people can do, and groups control which shared resources people can see.

Use this guide if your workspace shows a migration prompt for custom roles in Organization Settings. New workspaces already use the current roles and groups model.

<Info>You need admin access to manage roles and run the migration.</Info>

## What changes

Before migration, groups controlled both visibility and permissions. If someone belonged to multiple groups, their permissions were additive. For example, if one group allowed editing Workflows and another group allowed inviting members, the person could do both.

After migration, roles control privileges and groups control visibility. A person can still have multiple roles, and their effective privileges are the union of those roles. Group membership stays focused on which Agents, Workflows, Knowledge Base collections, chats, and meetings the person can access.

## What Cassidy creates

Migration is designed to preserve existing access. Cassidy generates a migration plan before changing your workspace.

<Columns cols={2}>
  <Card title="Managed role assignments" icon="user-shield">
    Legacy admins keep the managed admin role they need to manage the workspace.
  </Card>

  <Card title="Generated custom roles" icon="shield-check">
    Groups that previously granted feature permissions become custom roles, such as **Migrated: Sales Team**.
  </Card>

  <Card title="Existing groups remain" icon="users">
    Existing group memberships stay in place for visibility, so shared resources stay visible to the same teams.
  </Card>
</Columns>

<Note>Existing SAML group mappings are backfilled into role mappings where needed, so automatic role assignment keeps working after migration.</Note>

## Migrate your workspace

<Steps>
  <Step title="Open Roles">
    Go to **Organization Settings** and click **Roles**.
  </Step>

  <Step title="Start migration">
    If your workspace still uses legacy group permissions, click the migration prompt.

    <Frame>
      <img src="https://mintcdn.com/cassidy/aGcniRnn2fdQ_OnH/images/guides/custom-roles-migration-banner.png?fit=max&auto=format&n=aGcniRnn2fdQ_OnH&q=85&s=7daae91a6c2efbddf193e144933d3d29" alt="Custom roles migration banner on the Roles page with the migration action highlighted" width="2204" height="1016" data-path="images/guides/custom-roles-migration-banner.png" />
    </Frame>
  </Step>

  <Step title="Review the migration plan">
    Review the managed role assignments and custom roles Cassidy will create. The plan explains which groups map to each generated custom role.

    <Frame>
      <img src="https://mintcdn.com/cassidy/aGcniRnn2fdQ_OnH/images/guides/custom-roles-migration-modal.png?fit=max&auto=format&n=aGcniRnn2fdQ_OnH&q=85&s=e77606362d436602ee08138346c3a6ee" alt="Custom roles migration plan showing generated managed role assignments and custom roles" width="1344" height="1950" data-path="images/guides/custom-roles-migration-modal.png" />
    </Frame>
  </Step>

  <Step title="Enable custom roles">
    Click **Enable Custom Roles**. Cassidy updates your workspace to the custom roles system.
  </Step>

  <Step title="Review generated roles">
    Open each generated custom role. Rename roles to match how your team talks about access, such as **Workflow Editors** or **Knowledge Base Managers**.
  </Step>

  <Step title="Update privileges if needed">
    Adjust generated role privileges if the migrated role is broader than you want going forward. Keep the generated role in place until everyone who needs those privileges has another role that grants them.

    <Check>Your workspace now uses roles for privileges and groups for visibility.</Check>
  </Step>
</Steps>

<Warning>Do not delete generated custom roles until you have confirmed that everyone who needs those privileges has another role that grants them.</Warning>

## Next steps

<CardGroup cols={2}>
  <Card title="Assign roles and groups" icon="users-gear" href="/settings/roles-and-groups">
    Learn the current roles and groups model.
  </Card>

  <Card title="Set up SSO" icon="key" href="/settings/sso">
    Map your identity provider attributes to Cassidy roles and groups.
  </Card>
</CardGroup>
