Roles and permissions

The platform uses a role-based access control (RBAC) model. Roles are assigned at the workspace level and can be overridden at the project level for granular control.

Built-in roles

Three built-in roles cover most team structures:

Admin

Full access to workspace settings, billing, all projects, and member management. Assign sparingly.

Member

Can create projects, manage content, and invite collaborators within their projects. Cannot access billing or workspace settings.

Viewer

Read-only access to projects they are explicitly added to. Cannot create, edit, or delete content.

Custom roles

Custom roles let you define precise permission sets for teams with non-standard access needs. Each custom role is built by selecting from a list of granular permissions.

To create a custom role:

1. Go to Settings → Roles → New role.
2. Give the role a name and optional description.
3. Toggle individual permissions on or off.
4. Save and assign to members.

Note

Custom roles are available on Business and Enterprise plans. Workspace Admins can create and manage up to 20 custom roles.

Common custom role patterns:

• Data analyst — Read access to analytics dashboards and reports, no access to settings or user management.
• Integration manager — Full access to integrations and connectors, read-only access to projects.
• Billing contact — Access to billing settings only, no access to workspace data.

Per-project overrides

A member’s workspace-level role can be overridden for specific projects. Project-level roles take full precedence within that project.

To assign a per-project role:

1. Open the project and go to Settings → Members.
2. Find the member and select a role from the dropdown.
3. Save changes.

Removing a per-project override reverts the member to their workspace-level role for that project.