In most chatbot platforms, you create chat-only access by assigning users to a role that can start and view chats but cannot change agents, data sources, or team settings. In CustomGPT.ai, you do this with the built-in Chat-only role and custom roles in the Teams feature.
Scope:
Last updated – November 2025. Applies globally; align chat-only and RBAC settings with least-privilege guidance in frameworks like NIST SP 800-53 while meeting your organization’s internal security and compliance policies.
What chat-only access is
Chat-only vs editor/admin access
Chat-only access means a user can open the chatbot, ask questions, and see their own conversations—but cannot edit the bot, upload data, or manage other users.
In CustomGPT.ai, the Chat-only role is designed exactly for this: it lets people interact with agents while blocking all administrative or management features.
By contrast, standard roles like Member can create agents and sources, view logs and stats, and manage more of the environment, so they’re not suitable for strictly chat-only users.
Think of it as the difference between a website visitor (chat-only) and a site administrator (editor/admin).
Why chat-only access matters
Security, compliance, and least privilege
Security best practice says you should grant each person only the minimum access they need to do their job—the principle of least privilege.
Standards like NIST SP 800-53 AC-6 explicitly require employing least privilege so users only have access necessary for assigned tasks. Microsoft’s RBAC guidance echoes this: don’t give everyone unrestricted permissions; restrict actions to what they truly need.
Chat-only roles are how you apply these ideas to chatbots. You can roll the bot out widely (for employees, partners, or customers) without exposing training data, sensitive configurations, or team settings, and it’s much easier to audit who can actually change what. IBM’s RBAC overview describes this same pattern—roles group permissions so each user only gets what their role requires.
How to do it with CustomGPT.ai
Configure chat-only roles and access in CustomGPT.ai
Follow these steps to give people chat-only access to your CustomGPT.ai agents.
- Confirm Teams and advanced roles are available
Chat-only and advanced RBAC (custom roles, agent-specific roles, private agents) live under CustomGPT.ai Teams. The Teams docs explain that enabling advanced role-based access control lets you create agent-specific custom roles and assign chat-only access to selected agents. - Review existing team roles
Read the Basic roles guide to understand what Owner, Admin, and Member can do (for example, Members can create agents and sources, export conversations, and view logs). This helps you see why those roles are too powerful for chat-only users and when you should reach for Chat-only or custom roles instead. - Use the built-in Chat-only role for simple needs
The Chat-only role lets users interact with agents in the app while blocking access to administrative and management features—ideal for customers, external users, or internal teams who should only talk to agents. In the Teams settings, you’ll see Chat-only listed as one of the roles you can assign to invited users. - Create custom roles for more granular chat-only access
If you need nuance—like users who can chat with only some agents, or combine chat-only with other limited powers—create a custom role. The “Create custom roles” guide walks through opening Teams → Roles, creating a role, and choosing exactly which permissions (e.g., create conversations but not update agents or manage the team) it should include.
For tighter scoping, use agent-specific custom roles, which restrict access to selected agents rather than the whole workspace. - Invite users and assign Chat-only or custom roles
To add people as chat-only users, go to Teams → Invitations, enter their email, and choose the appropriate role from the User Role dropdown before sending the invite. Pick Chat-only for simple “just talk to agents” scenarios, or a custom/agent-specific role when you’ve defined something more tailored in step 4.
- Enable private agent deployment for controlled access
If you’re embedding agents on an intranet or app, turn on Private agent deployment so only logged-in, approved users can access the agent. The private deployment guide explains how to enable this and keep the agent limited to authorized users.
The “How private agent deployment works” doc clarifies that any team role—including Chat-only and custom roles—can access a private agent after logging in, but nobody can reach it without authenticating first. - Test the chat-only experience as an end user
Use the log in to a private deployed agent guide to sign in as a test Chat-only or custom-role user and confirm that you can chat with the agent but can’t see or change admin features. If everything looks good, you’re ready to roll this out to a wider group.
Example — rolling out chat-only access to an internal team
Imagine you’re deploying several CustomGPT.ai agents for your support team: one for product FAQs, one for internal policies, and one for billing questions. You want agents widely used, but only a few admins should change content or settings.
A practical rollout might look like this:
- Enable Teams and advanced RBAC, then review Basic roles, Chat-only, and custom roles so you’re clear on capabilities.
- Create any agent-specific custom roles you need (e.g., “Support – Policies only”). Assign each to the relevant agents.
- Decide which users should be Admins/Members (who can edit agents) and which should be Chat-only/custom (who should only chat).
- Invite the support team using Teams → Invitations, assigning them to Chat-only or the appropriate custom role.
- Enable Private agent deployment and embed each agent in your internal help portal so only logged-in, authorized team members can access them.
- Log in as a Chat-only user and confirm: they can talk to all intended agents but can’t change settings, upload sources, or manage the team.
- This pattern scales: as new teams join, you just assign them appropriate chat-only or custom roles, keeping tight control over who can actually modify agents.
Conclusion
Chat-only access is essential for scaling your AI agent safely. It enforces the principle of least privilege, ensuring widespread user adoption while strictly limiting access to administrative settings and sensitive data sources.
CustomGPT.ai solves this control problem directly, using built-in Chat-only and custom RBAC roles with secure Private Agent Deployment. This allows you to open your knowledge base to everyone who needs it, without sacrificing security or auditability.
FAQs
How do I give some users chat-only access to my CustomGPT.ai chatbot?
In CustomGPT.ai, you give chat-only access by assigning users to the built-in Chat-only role in the Teams settings so they can talk to agents but not edit agents, data sources, or team settings. This role is ideal for employees, customers, or partners who should only use the chatbot interface while admins and members retain full configuration and management permissions.
How can I use roles to limit chatbot permissions while following least-privilege principles?
To follow least-privilege, map each user group to the minimum access they need, using Chat-only for pure end users and custom roles for more nuanced, agent-specific permissions. In CustomGPT.ai Teams, you can create custom roles, restrict them to certain agents, and combine this with private agent deployment so only authenticated, authorized users can chat while only a few admins can change settings or data sources.