Roles & Permissions
Control access with role-based permissions
Updated 2025-01-156 min read
Roles & Permissions
Control who can do what in your organization with role-based access control (RBAC). Assign roles to members and customize permissions.
Understanding Roles
Roles define what actions members can perform:
- Each member has exactly one organization role
- Roles contain a set of permissions
- Higher roles include lower role permissions
- Custom roles available on enterprise plans
Default Roles
Role Hierarchy
| Role | Level | Description |
|---|---|---|
| Owner | Highest | Full control, cannot be removed |
| Admin | High | Full access, manage members |
| Manager | Medium | Team management, content control |
| Member | Standard | Create and collaborate |
| Viewer | Limited | View-only access |
Role Comparison
| Capability | Owner | Admin | Manager | Member | Viewer |
|---|---|---|---|---|---|
| View content | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create content | ✓ | ✓ | ✓ | ✓ | - |
| Edit content | ✓ | ✓ | ✓ | ✓ | - |
| Delete content | ✓ | ✓ | ✓ | Own | - |
| Share content | ✓ | ✓ | ✓ | ✓ | - |
| Manage teams | ✓ | ✓ | ✓ | - | - |
| Invite members | ✓ | ✓ | ✓ | - | - |
| Change roles | ✓ | ✓ | Lower | - | - |
| Organization settings | ✓ | ✓ | - | - | - |
| Billing | ✓ | ✓ | - | - | - |
| Transfer ownership | ✓ | - | - | - | - |
Role Details
Owner
The organization owner has:
- Full control over everything
- Can transfer ownership
- Cannot be removed or downgraded
- Only one owner per organization
Warning
The owner role should be assigned to a responsible person. Losing owner access requires contacting support.
Admin
Administrators can:
- All Manager capabilities
- Access organization settings
- Manage billing and subscription
- Create/delete teams
- Remove members
- Set organization policies
Manager
Managers can:
- All Member capabilities
- Manage team membership
- Invite new members (as Member or below)
- View team analytics
- Approve content
- Manage team settings
Member
Standard members can:
- Create analyses and proposals
- Edit their own content
- Share with team and external
- Comment and collaborate
- Use all features
- View assigned content
Viewer
Viewers can:
- View shared content
- Add comments (if allowed)
- Download exports (if allowed)
- Cannot create or edit
Permission Categories
Content Permissions
| Permission | Description |
|---|---|
content.create | Create analyses, proposals |
content.edit | Edit content |
content.delete | Delete content |
content.share | Share with others |
content.export | Export to PDF, DOCX |
content.view_all | See all org content |
Team Permissions
| Permission | Description |
|---|---|
team.view | See team info |
team.manage | Add/remove members |
team.create | Create new teams |
team.delete | Delete teams |
team.settings | Change team settings |
Organization Permissions
| Permission | Description |
|---|---|
org.settings | Access org settings |
org.billing | Manage billing |
org.invite | Invite members |
org.remove | Remove members |
org.roles | Change member roles |
org.policies | Set policies |
Integration Permissions
| Permission | Description |
|---|---|
integration.view | See connected integrations |
integration.connect | Add new integrations |
integration.configure | Change settings |
integration.disconnect | Remove integrations |
Assigning Roles
Initial Assignment
When inviting members:
- Enter member email
- Select role from dropdown
- Role takes effect when they accept
Changing Roles
Role Change Effects
When you change someone's role:
- New permissions apply immediately
- Active sessions updated
- Member notified of change
- Activity logged
Note
Downgrading a role removes access to restricted features immediately.
Custom Roles (Enterprise)
Creating Custom Roles
Enterprise customers can create custom roles:
- Go to Settings > Organization > Roles
- Click Create Custom Role
- Name the role
- Select permissions
- Set role level
- Save
Custom Role Settings
| Setting | Description |
|---|---|
| Name | Display name |
| Description | What this role is for |
| Level | Hierarchy position |
| Permissions | Specific permissions |
| Base Role | Inherit from existing role |
Managing Custom Roles
- Edit: Update permissions anytime
- Archive: Hide but preserve assignments
- Delete: Remove (must reassign members first)
Permission Inheritance
How Inheritance Works
Owner (has all permissions)
↓
Admin (inherits Owner - transfer + some restrictions)
↓
Manager (inherits Admin - org settings)
↓
Member (inherits Manager - team management)
↓
Viewer (base permissions only)
Overriding Inheritance
Custom roles can:
- Add specific permissions
- Remove inherited permissions
- Mix and match as needed
Team Roles
Separate from Organization Roles
Team roles are independent:
| Team Role | Purpose |
|---|---|
| Team Lead | Manage the team |
| Team Member | Standard team access |
| Team Viewer | View team content |
Role Interaction
- Organization role sets baseline
- Team role can grant additional team access
- Cannot exceed organization role limits
Best Practices
Principle of Least Privilege
Give members only the access they need:
- Start with Member role
- Upgrade as responsibilities grow
- Regular access reviews
Role Documentation
Document your role structure:
- Who should have each role
- When to upgrade/downgrade
- Custom role purposes
Regular Audits
Review roles periodically:
- Quarterly permission audits
- Check for over-privileged accounts
- Document changes
Troubleshooting
Member Can't Access Feature
- Check their role
- Verify feature permission
- Check team permissions
- Look for custom overrides
Role Change Not Working
- Member may need to refresh
- Check for active sessions
- Clear browser cache
- Contact admin
Accidental Role Change
- Admins can revert changes
- Check activity log for original role
- Change role back
- Document incident
Next Steps
Was this page helpful?