What chat-only access is
Chat-only vs editor/admin access
Chat-only access means a user can open the chatbot, ask questions, and see their own conversations—but cannot edit the bot, upload data, or manage other users. In CustomGPT.ai, the Chat-only role is designed exactly for this: it lets people interact with agents while blocking all administrative or management features. By contrast, standard roles like Member can create agents and sources, view logs and stats, and manage more of the environment, so they’re not suitable for strictly chat-only users. Think of it as the difference between a website visitor (chat-only) and a site administrator (editor/admin).Why chat-only access matters
Security, compliance, and least privilege
Security best practice says you should grant each person only the minimum access they need to do their job—the principle of least privilege. Standards like NIST SP 800-53 AC-6 explicitly require employing least privilege so users only have access necessary for assigned tasks. Microsoft’s RBAC guidance echoes this: don’t give everyone unrestricted permissions; restrict actions to what they truly need. Chat-only roles are how you apply these ideas to chatbots. You can roll the bot out widely (for employees, partners, or customers) without exposing training data, sensitive configurations, or team settings, and it’s much easier to audit who can actually change what. IBM’s RBAC overview describes this same pattern—roles group permissions so each user only gets what their role requires.How to do it with CustomGPT.ai
Configure chat-only roles and access in CustomGPT.ai
Follow these steps to give people chat-only access to your CustomGPT.ai agents.- Confirm Teams and advanced roles are available Chat-only and advanced RBAC (custom roles, agent-specific roles, private agents) live under CustomGPT.ai Teams. The Teams docs explain that enabling advanced role-based access control lets you create agent-specific custom roles and assign chat-only access to selected agents.
- Review existing team roles Read the Basic roles guide to understand what Owner, Admin, and Member can do (for example, Members can create agents and sources, export conversations, and view logs). This helps you see why those roles are too powerful for chat-only users and when you should reach for Chat-only or custom roles instead.
- Use the built-in Chat-only role for simple needs The Chat-only role lets users interact with agents in the app while blocking access to administrative and management features—ideal for customers, external users, or internal teams who should only talk to agents. In the Teams settings, you’ll see Chat-only listed as one of the roles you can assign to invited users.
- Create custom roles for more granular chat-only access If you need nuance—like users who can chat with only some agents, or combine chat-only with other limited powers—create a custom role. The “Create custom roles” guide walks through opening Teams → Roles, creating a role, and choosing exactly which permissions (e.g., create conversations but not update agents or manage the team) it should include. For tighter scoping, use agent-specific custom roles, which restrict access to selected agents rather than the whole workspace.
- Invite users and assign Chat-only or custom roles
- Enable private agent deployment for controlled access If you’re embedding agents on an intranet or app, turn on Private agent deployment so only logged-in, approved users can access the agent. The private deployment guide explains how to enable this and keep the agent limited to authorized users. The “How private agent deployment works” doc clarifies that any team role—including Chat-only and custom roles—can access a private agent after logging in, but nobody can reach it without authenticating first.
- Test the chat-only experience as an end user Use the log in to a private deployed agent guide to sign in as a test Chat-only or custom-role user and confirm that you can chat with the agent but can’t see or change admin features. If everything looks good, you’re ready to roll this out to a wider group.
Example — rolling out chat-only access to an internal team
Imagine you’re deploying several CustomGPT.ai agents for your support team: one for product FAQs, one for internal policies, and one for billing questions. You want agents widely used, but only a few admins should change content or settings. A practical rollout might look like this:- Enable Teams and advanced RBAC, then review Basic roles, Chat-only, and custom roles so you’re clear on capabilities.
- Create any agent-specific custom roles you need (e.g., “Support – Policies only”). Assign each to the relevant agents.
- Decide which users should be Admins/Members (who can edit agents) and which should be Chat-only/custom (who should only chat).
- Invite the support team using Teams → Invitations, assigning them to Chat-only or the appropriate custom role.
- Enable Private agent deployment and embed each agent in your internal help portal so only logged-in, authorized team members can access them.
- Log in as a Chat-only user and confirm: they can talk to all intended agents but can’t change settings, upload sources, or manage the team.
- This pattern scales: as new teams join, you just assign them appropriate chat-only or custom roles, keeping tight control over who can actually modify agents.
Conclusion
Chat-only access is essential for scaling your AI agent safely. It enforces the principle of least privilege, ensuring widespread user adoption while strictly limiting access to administrative settings and sensitive data sources. CustomGPT.ai solves this control problem directly, using built-in Chat-only and custom RBAC roles with secure Private Agent Deployment. This allows you to open your knowledge base to everyone who needs it, without sacrificing security or auditability.FAQs
How do I give some users chat-only access to my CustomGPT.ai chatbot?
In CustomGPT.ai, you give chat-only access by assigning users to the built-in Chat-only role in the Teams settings so they can talk to agents but not edit agents, data sources, or team settings. This role is ideal for employees, customers, or partners who should only use the chatbot interface while admins and members retain full configuration and management permissions.How can I use roles to limit chatbot permissions while following least-privilege principles?
To follow least-privilege, map each user group to the minimum access they need, using Chat-only for pure end users and custom roles for more nuanced, agent-specific permissions. In CustomGPT.ai Teams, you can create custom roles, restrict them to certain agents, and combine this with private agent deployment so only authenticated, authorized users can chat while only a few admins can change settings or data sources.Frequently Asked Questions
What does chat-only access let a team member do?
Chicago Public Schools handled 13,495 HR questions with a 91% AI success rate by letting staff ask the bot without giving them admin rights. In practice, chat-only access lets a user open the chatbot, ask questions, and see their own conversations, but it blocks changes to agents, data sources, and team settings. It is best for people who need answers without admin or editing permissions.
How do I share an agent with specific users and keep it chat-only?
Ontop’s 200-person team uses “Barry” to answer over 100 legal questions a week. To keep access chat-only for specific people, add them to your team, assign the built-in Chat-only role or a narrower custom role, and limit that access to the selected private agent. This approach is useful when approved users should chat with one agent without getting broader workspace permissions.
Can chat-only users see or change my chatbot’s sources, prompts, or team settings?
GEMA handles 248,000 inquiries a year at an 88% success rate while keeping control of its knowledge system centralized. Chat-only users can interact with the agent and review their own chats, but they should not be able to edit the bot, upload data, manage other users, or change team settings. That separation helps reduce accidental changes and keeps administration with the people responsible for configuration.
When should I use the built-in Chat-only role instead of a custom role?
Overture Partners cut training time from 13 weeks to 2 weeks after giving 200+ employees access to 400+ documents through one assistant. Use the built-in Chat-only role when users only need to ask questions and view their own conversations. Choose a custom role when access needs to be more narrowly scoped, such as limiting someone to selected agents. As Mark Aiello of Overture Partners put it, “CustomGPT is our own personal time machine. It gives answers instantly and provides perhaps more in-depth responses to questions than they’d ever get by polling any one individual.”
Why isn’t the chatbot showing up for some users?
Biamp rolled out internal and external AI assistants in under 30 days across 90+ languages. If a chatbot is missing for some users, the most likely issue is access configuration: the person is not in the team, does not have the intended role, or was not given access to that private agent. Check those three items in order to narrow down the problem quickly.
How does chat-only access help with least-privilege and compliance?
Chat-only access supports least privilege by letting people ask the bot for answers without giving them permission to edit agents, upload data, or manage settings. That aligns with the page’s cited guidance around NIST SP 800-53 AC-6 and role-based access control. For teams handling HR, legal, or policy content, it also helps that the platform is SOC 2 Type 2 certified, GDPR compliant, and states that customer data is not used for model training.