How Permissions Work
A role carries two kinds of permission:- Workspace permissions: what a member can do across the workspace, like installing plugins, managing members, or creating apps.
- Resource permissions: what a member can do with an existing app or knowledge base, like previewing, editing, exporting, or deleting it.
What You Can Control
- Decide who can do what: Build roles and assign them to members. A role’s permissions decide what a member can do once they’re in a room.
- Choose who can reach each resource: Resource access decides who gets in the room; what they do inside is still decided by the role.
- Make exceptions: Once a member is in the room, change what they can do inside. This overrides their role for that one resource.
Example
Maya holds the Editor role, so she can build and edit apps across the workspace. (role) Your Q4 Revenue app holds sensitive data, so you set its scope to Specific members only and leave Maya off the list. The app never appears for her, even though she’s an Editor. (resource access) Add her, and it shows up and she can edit it like any other app. To let her see it without making changes, give her an individual permission setting that limits her to viewing only. (exception)Decide Who Can Do What
Assign each member a role. You manage roles in Settings > Roles & Permissions and assign them in Settings > Members. A member can hold more than one role, and their permissions are the combination of all of them.System Roles
Every workspace includes a set of system roles. To see everything a role grants, open it and click View. Each system role also comes with default resource permission sets on apps and knowledge bases. Open the Settings > Permission Set page to see what permissions each set includes.| Role | Apps | Knowledge bases |
|---|---|---|
| Owner, Admin | Full Control | Full Control |
| Editor | Full Control | Edit Content |
| Normal | View Monitoring | Preview Knowledge Base |
| Restricted Member | None | None |
Custom Roles
When the system roles don’t fit how your team works, create a custom role and choose exactly which permissions it includes. A new workspace also starts with any custom roles your system administrator predefined in the admin dashboard. Deleting a custom role removes it from every member assigned to it.Choose Who Can Reach Each Resource
Every app and knowledge base has its own resource access settings that control who can reach it. Open the resource and set its Resource Open Scope:- All members with role permissions: anyone whose role grants permissions on this type of resource. New apps and knowledge bases use this scope by default.
- Specific members only: only the members you add. Everyone else can’t see it.
- An Editor can edit it.
- A Normal member can only view it.
- A Restricted member, whose role grants no app permissions, can’t see the app at all, unless they are specifically added under the individual permission settings.
Make Exceptions
When a member needs different permissions on one resource than their role grants, override them under Individual Permission Settings in that resource’s resource access settings. Add the member and pick a permission set. By role permissions keeps their role’s permissions; any other set overrides them for this resource alone. You can apply a system set such as Edit Content or Preview App, or create a custom set in Settings > Permission Set for cases they don’t cover. Whoever creates a resource becomes its maintainer and always keeps Full Control. If the maintainer leaves the workspace, the Owner becomes the maintainer of that resource.Changing the open scope resets the individual permission settings on the resource.