Permissions and Roles
Manage team access with roles and granular permissions for your organization
Introduction to Permissions and Roles
The platform uses a role-based access control (RBAC) system to manage what users can see and do within your organization. This ensures the right people have access to the right features and data.
Understanding Roles
Built-in Roles
The platform includes four built-in roles with different permission levels:
Owner
The organization owner has full access to everything:
- Complete control over all features and data
- Manage billing and subscription
- Delete the organization
- Transfer ownership to another member
- Cannot be removed from the organization
Each organization has exactly one owner. Ownership can be transferred but not shared.
Admin
Administrators have broad access to manage the organization:
- Access all features and data
- Manage team members and invitations
- Configure organization settings
- Create and manage API keys
- View and manage audit logs
- Delete any content
- Cannot delete the organization or manage billing
Member
Members are the default role for new team members with full content creation capabilities:
- Create experiments, OKRs, documents, workflows, dashboards, and growth models
- Edit any content (not just their own)
- Delete their own content only
- View audit logs (read-only)
- Cannot access administrative settings
- Cannot manage team members or API keys
Members are ideal for team contributors who need to actively work with content.
Viewer
Viewers have read-only access to all features:
- View all experiments, OKRs, workflows, dashboards, documents, and growth models
- View audit logs (read-only)
- Cannot create, edit, or delete any content
- Cannot access administrative features
Viewers are ideal for stakeholders who need visibility into progress without editing capabilities.
Role Hierarchy
Roles follow a hierarchy where higher roles have more permissions:
Owner > Admin > Member > Viewer| Capability | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Full administrative access | Yes | Yes | No | No |
| Create content | Yes | Yes | Yes | No |
| Edit any content | Yes | Yes | Yes | No |
| Delete any content | Yes | Yes | No | No |
| Delete own content | Yes | Yes | Yes | No |
| Manage team | Yes | Yes | No | No |
| Manage billing | Yes | No | No | No |
Managing Team Members
Inviting Members
To invite new team members:
- Navigate to Settings > Team
- Click Invite Member
- Enter their email address
- Select their role:
- Admin - Full access to manage the organization
- Member - Create and edit content, delete own content
- Viewer - Read-only access
- Click Send Invitation
The invitee receives an email with a link to join your organization.
Invitation Status
Invitations have the following statuses:
- Pending - Invitation sent, awaiting response
- Accepted - User has joined the organization
- Expired - Invitation link has expired
- Revoked - Invitation was cancelled
Changing Roles
To change a member's role:
- Go to Settings > Team
- Find the member
- Click on their current role
- Select the new role
- Confirm the change
Only owners and admins can change roles. Members can be promoted to Admin. Admins can be demoted to Member.
Removing Members
To remove a member from your organization:
- Go to Settings > Team
- Find the member
- Click Remove
- Confirm removal
Removed members lose access immediately. Their content (experiments, documents, etc.) is preserved but reassigned or made available to admins.
Transferring Ownership
The organization owner can transfer ownership:
- Go to Settings > Team
- Click Transfer Ownership
- Select the new owner
- Confirm with your password
- The new owner receives owner privileges
After transfer, the previous owner becomes an Admin.
Permission Requests
For sensitive operations, the platform supports a permission request workflow.
How Permission Requests Work
When a member needs elevated access:
- The member initiates a permission request
- The request goes to an approver (Admin or Owner)
- The approver reviews and approves/denies
- If approved, the member gains temporary access
Request Types
Permission requests specify the type of access needed:
- Create - Permission to create new resources
- Read - Permission to view resources
- Update - Permission to modify resources
- Delete - Permission to remove resources
Request Lifecycle
- Pending - Request submitted, awaiting review
- Approved - Request granted
- Denied - Request rejected
- Expired - Request timed out
Requesting Permissions
To request additional permissions:
- Attempt the action you need permission for
- If denied, click Request Access
- Select the permissions you need
- Optionally add a message explaining why
- Submit the request
Approving Requests
Admins and Owners can approve requests:
- Go to Settings > Permission Requests
- Review pending requests
- For each request, choose:
- Approve - Grant the requested permissions
- Deny - Reject the request
- Optionally add notes explaining your decision
Request Expiration
Approved permissions have an expiration:
- Set when the approval is granted
- After expiration, access is automatically revoked
- Users must re-request if they still need access
Feature-Specific Permissions
Different features have specific permission requirements. The tables below show what each role can do.
Experiments
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View all experiments | Yes | Yes | Yes | Yes |
| Create experiments | Yes | Yes | Yes | No |
| Edit any experiment | Yes | Yes | Yes | No |
| Delete any experiment | Yes | Yes | No | No |
| Delete own experiments | Yes | Yes | Yes | No |
| Change experiment status | Yes | Yes | Yes | No |
OKRs
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View all OKRs | Yes | Yes | Yes | Yes |
| Create objectives | Yes | Yes | Yes | No |
| Create key results | Yes | Yes | Yes | No |
| Edit any OKR | Yes | Yes | Yes | No |
| Delete any OKR | Yes | Yes | No | No |
| Delete own OKRs | Yes | Yes | Yes | No |
| Set official OKRs | Yes | Yes | No | No |
Documents
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View documents | Yes | Yes | Yes | Yes |
| Create documents | Yes | Yes | Yes | No |
| Edit documents | Yes | Yes | Yes | No |
| Add comments | Yes | Yes | Yes | No |
| Delete any document | Yes | Yes | No | No |
| Delete own documents | Yes | Yes | Yes | No |
| Create public shares | Yes | Yes | Yes | No |
Workflows
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View workflows | Yes | Yes | Yes | Yes |
| Create workflows | Yes | Yes | Yes | No |
| Edit workflows | Yes | Yes | Yes | No |
| Delete any workflow | Yes | Yes | No | No |
| Delete own workflows | Yes | Yes | Yes | No |
| Activate/deactivate | Yes | Yes | Yes | No |
Growth Models
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View models | Yes | Yes | Yes | Yes |
| Create models | Yes | Yes | Yes | No |
| Edit any model | Yes | Yes | Yes | No |
| Delete any model | Yes | Yes | No | No |
| Delete own models | Yes | Yes | Yes | No |
| Lock models | Yes | Yes | No | No |
| Set official model | Yes | Yes | No | No |
Analytics Dashboards
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View dashboards | Yes | Yes | Yes | Yes |
| Create dashboards | Yes | Yes | Yes | No |
| Edit dashboards | Yes | Yes | Yes | No |
| Delete any dashboard | Yes | Yes | No | No |
| Delete own dashboards | Yes | Yes | Yes | No |
Organization Settings
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View settings | Yes | Yes | Limited | Limited |
| Edit settings | Yes | Yes | No | No |
| Manage team | Yes | Yes | No | No |
| Manage billing | Yes | No | No | No |
| Delete organization | Yes | No | No | No |
API Keys
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View API keys | Yes | Yes | No | No |
| Create API keys | Yes | Yes | No | No |
| Revoke API keys | Yes | Yes | No | No |
Webhooks
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View webhooks | Yes | Yes | No | No |
| Create webhooks | Yes | Yes | No | No |
| Edit webhooks | Yes | Yes | No | No |
| Delete webhooks | Yes | Yes | No | No |
Audit Logs
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View audit logs | Yes | Yes | Yes | Yes |
| Export audit logs | Yes | Yes | No | No |
Audit Logging
All permission-related actions are logged:
- Role changes
- Member additions and removals
- Permission requests and approvals
- Settings changes
View the audit log at Settings > Audit Log to see who did what and when.
Best Practices
Role Assignment
- Start new members as Viewer if they only need to observe
- Use Member (default) for contributors who need to create and edit content
- Promote to Admin only for those who need to manage team and settings
- Limit the number of Admins to reduce security risk
- Document why each Admin needs elevated access
Security
- Review team members regularly
- Remove access for departing employees promptly
- Use permission requests for sensitive operations
- Monitor audit logs for suspicious activity
Onboarding
- Create a clear process for new member onboarding
- Document which roles are needed for which teams
- Use invitations rather than sharing login credentials
- Set up proper handoffs when members leave