Skip to main content
A member’s permissions come from two things: the role they hold, and the resource access they’re granted on individual apps and knowledge bases.

How Permissions Work

A role carries two kinds of permission:
  • Workspace permissions: what a member can do across the workspace, like installing plugins, managing members, or creating apps.
  • Resource permissions: what a member can do with an existing app or knowledge base, like previewing, editing, exporting, or deleting it.
    To see exactly which permissions count as resource permissions, open Settings > Permission Set and view Full Control, which includes every permission for that resource type.
Workspace permissions are global: once a role grants one, it applies across the whole workspace. Resource permissions are scoped to what a member can reach: even when their role grants app editing, a member can only edit apps they have access to. Resource access is set separately on each app and knowledge base, and decides whether a member can reach it at all. Think of it as the key to a room, and the role as what you can do once you’re inside.

What You Can Control

  • Decide who can do what: Build roles and assign them to members. A role’s permissions decide what a member can do once they’re in a room.
  • Choose who can reach each resource: Resource access decides who gets in the room; what they do inside is still decided by the role.
  • Make exceptions: Once a member is in the room, change what they can do inside. This overrides their role for that one resource.

Example

Maya holds the Editor role, so she can build and edit apps across the workspace. (role) Your Q4 Revenue app holds sensitive data, so you set its scope to Specific members only and leave Maya off the list. The app never appears for her, even though she’s an Editor. (resource access) Add her, and it shows up and she can edit it like any other app. To let her see it without making changes, give her an individual permission setting that limits her to viewing only. (exception)

Decide Who Can Do What

Assign each member a role. You manage roles in Settings > Roles & Permissions and assign them in Settings > Members. A member can hold more than one role, and their permissions are the combination of all of them.

System Roles

Every workspace includes a set of system roles. To see everything a role grants, open it and click View. Each system role also comes with default resource permission sets on apps and knowledge bases. Open the Settings > Permission Set page to see what permissions each set includes.
RoleAppsKnowledge bases
Owner, AdminFull ControlFull Control
EditorFull ControlEdit Content
NormalView MonitoringPreview Knowledge Base
Restricted MemberNoneNone

Custom Roles

When the system roles don’t fit how your team works, create a custom role and choose exactly which permissions it includes. A new workspace also starts with any custom roles your system administrator predefined in the admin dashboard. Deleting a custom role removes it from every member assigned to it.

Choose Who Can Reach Each Resource

Every app and knowledge base has its own resource access settings that control who can reach it. Open the resource and set its Resource Open Scope:
  • All members with role permissions: anyone whose role grants permissions on this type of resource. New apps and knowledge bases use this scope by default.
  • Specific members only: only the members you add. Everyone else can’t see it.
Either way, what each member can do once they’re in still comes from their role. For example, on an app open to all members:
  • An Editor can edit it.
  • A Normal member can only view it.
  • A Restricted member, whose role grants no app permissions, can’t see the app at all, unless they are specifically added under the individual permission settings.

Make Exceptions

When a member needs different permissions on one resource than their role grants, override them under Individual Permission Settings in that resource’s resource access settings. Add the member and pick a permission set. By role permissions keeps their role’s permissions; any other set overrides them for this resource alone. You can apply a system set such as Edit Content or Preview App, or create a custom set in Settings > Permission Set for cases they don’t cover. Whoever creates a resource becomes its maintainer and always keeps Full Control. If the maintainer leaves the workspace, the Owner becomes the maintainer of that resource.
Changing the open scope resets the individual permission settings on the resource.