Projects sit at the heart of how n8n scales inside larger organizations. They are the unit that allows a single n8n instance to be shared safely across teams, business units, and environments, without turning automation into a free-for-all.
Each Project acts as an isolated workspace with its own workflows, credentials, data, variables, and execution history. This isolation is what makes it possible to run n8n as a central platform rather than spinning up separate instances for every team. It also creates the foundation for ownership, accountability, and governance as usage grows.
At enterprise scale, the challenge is no longer whether automation works, but how it is controlled. Without strong project-level access controls, organizations quickly run into familiar problems:
- overly broad permissions,
- shared credentials that are hard to audit,
- manual role changes that drift over time,
- blurred lines between who can build, review, and deploy workflows.
Custom Project Roles and User provisioning address these issues together by formalizing both sides of access control.
- Custom Project Roles allow admins to create truly custom roles that are assigned at the project level. They enable organizations to model real operational roles, such as workflow builders, reviewers, operators, or platform admins, and apply least-privilege access across workflows, credentials, folders, and source control. When combined with environments, these roles help teams build and iterate safely without risking changes in production.
- User provisioning via SSO syncs users permissions between the identity provider and n8n. It ensures that n8n permissions follow the same lifecycle as the rest of the organization. When someone joins, changes roles, or leaves, their permissions are updated automatically, removing the need for manual access management.
Together, these capabilities turn Projects into a governed organisational layer inside n8n. They allow enterprises to scale automation across many teams while keeping access predictable, auditable, and aligned with existing identity and security practices.
Custom Project Roles (project-scoped RBAC)
Custom Project Roles is an enterprise feature that allows admins to define custom roles at the project level, with granular permissions. Roles are created and managed from a dedicated Project Roles section in settings. Permissions are then applied within projects rather than relying only on broad, instance-wide roles.
How it works
Admins define custom roles by selecting permissions within a project-scoped model. The current permission surface includes:
- Projects
- Folders
- Workflows
- Credentials
- Data tables
- Variables
- Source control
Feature walkthrough
User provisioning (IDP-driven role sync)
User provisioning automates access management by syncing users and roles from your identity provider (IdP) into n8n at both the instance and project level.
You can configure n8n to provision users individually or via IdP groups, and automatically assign them to the appropriate project(s) and role(s) as part of your existing IAM setup.
This includes support for:
- System roles and custom roles you define in n8n
- Project-scoped role assignment driven by IdP group membership
- Automatic updates when users join, change roles, or leave groups in the IdP
As a result, access management scales cleanly as your organization grows:
- Onboarding and role assignment follow established IAM processes
- Changes in IdP membership are reflected automatically in n8n
- Access control becomes consistent, auditable, and repeatable across teams and projects
You can learn more about SSO and user provisioning in our documentation page.
Closing
Custom Project Roles and User provisioning provide a scalable foundation for access management in n8n. By combining custom project roles with identity-provider-driven role assignment, they improve governance, reduce risk, and significantly lower the ongoing operational cost of managing access in large, multi-team environments.