Eval Labs Canon

# Your Role and Access > [!summary] > Eval Labs access is role-based. Evaluators have the full evaluator workbench, testers have a narrower prompt-testing lane, and owner/admin retain oversight surfaces. --- ## Current roles Eval Labs currently uses these roles: - `owner`: full access - `admin`: full privileged operational access - `evaluator`: full evaluator workbench and own-run review/history access - `tester`: entry-level prompt-testing lane - unassigned or missing role: limited/no protected access Missing or unclear access should fail closed. Read the canonical matrix: [[08 - Eval Labs Roles and Access Matrix|Eval Labs Roles and Access Matrix]]. --- ## What evaluators can use Allowed: - `/lucia/custom` - `/lucia/auto-generated` - `/guest-facing/verification` - `/guest-facing/verification/results` - `/lucia/batch-runner` - `/lucia/automated/runs` for your own scoped runs - `/runs/:sessionId/running` for your own scoped runs - `/runs/:sessionId/review` for your own scoped runs - `/runs/:sessionId/review?eval=:caseId` for your own scoped runs You can review and finalize your own assigned/scoped runs. --- ## What evaluators cannot use Blocked unless explicitly allowed later: - `/analysis` - `/experiments` - `/analysis/runs/:sessionId` - `/team-review` - `/team-review/evaluators/:evaluatorKey` - `/registry-diagnostics` - `/dataset-diagnostics` - `/behavioral-observatory` Also blocked: - all-user analytics - cleanup/tools - Global Analysis surfaces - Team Review - Global Analysis - Registry Diagnostics - Behavioral Observatory - Single Run Analysis --- ## Tester distinction Tester is not the same as evaluator. Testers can use: - Custom Prompt Test - Auto-generated Prompt Test Testers cannot use verification, Controlled Batch Runner, Team Review, Global Analysis, Registry Diagnostics, Behavioral Observatory, or owner/admin tools. --- ## Active hardening The evaluator workspace has been redesigned into a premium onboarding/workspace surface, but polish remains active hardening. If you expected to see a surface, ask an owner/admin. Do not work around the role boundary.