Roles & Permissions
Built-in roles, custom roles, multi-role assignment, per-user module access, and the permission request workflow.
Roles & Permissions
Workestra uses Role-Based Access Control (RBAC) so workspace owners can grant exactly the right level of access to each member — no more, no less.
Managing roles requires the Owner role or a role with workspace.role.edit and workspace.member.role_assign permissions.
How it works in one paragraph
Every member gets one or more roles. Each role is a bundle of permissions like crm.contact.export or finance.invoice.send. Each granted permission has a scope — all (everyone in the workspace), team (the user and the people who report to them, recursively), or own (only records they personally own). When a member holds multiple roles, the most permissive scope wins. On top of that, Owners control which modules each member can even open — a workspace can pay for the Projects module but only grant access to the engineering team.
Built-in roles
Workestra ships with five built-in roles. They're a starting point — clone any of them to make a custom role.
Owner
The highest level of access. Holds every permission in the catalog, including the locked owner-only ones (billing, workspace deletion, ownership transfer, member impersonation).
| Capability | Owner |
|---|---|
| All Admin capabilities | ✅ |
| Manage billing | ✅ |
| Delete workspace | ✅ |
| Transfer ownership | ✅ |
| Impersonate members | ✅ (audited) |
| Hold owner-only permissions | ✅ (only role that can) |
The Owner role can be assigned to multiple users. Workspace creators get it automatically.
Admin
Full administrative access without the owner-only "red list".
| Capability | Admin |
|---|---|
| Manage members, roles, modules, settings | ✅ |
| All record CRUD across every module | ✅ |
| Configure integrations, automations, AI | ✅ |
| Approve permission requests | ✅ |
| View audit log | ✅ |
| Billing, deletion, impersonation | ❌ (Owner only) |
Best for: IT administrators, department heads, operations leads.
Manager
Operational access scoped to the manager's team — the people who report to them, walked recursively through the manager chain. A regional manager who has team leads under them sees the team leads' team data too.
| Capability | Manager |
|---|---|
| View, create, edit operational records | ✅ — scoped to team |
| Invite members, manage team membership | ✅ — within team |
| View team performance dashboards | ✅ |
| Configure modules, integrations, settings | ❌ |
| See data outside the team | ❌ |
Best for: Sales managers, recruiting leads, project leads, support team leads.
Member
Standard individual contributor. Can do their own work; can't see colleagues' records or manage anything.
| Capability | Member |
|---|---|
| View, create, edit own records | ✅ — own scope |
| Comment, attach files, send emails | ✅ |
| Delete records | ❌ |
| Export data | ❌ |
| Bulk operations | ❌ |
| Manage settings | ❌ |
Best for: Sales reps, recruiters, project contributors, support agents.
Viewer
Read-only across the entire workspace. No creates, no edits, no deletes.
| Capability | Viewer |
|---|---|
| View any record in modules they have access to | ✅ — all scope |
| Export | ✅ |
| Any write | ❌ |
Best for: Executives, auditors, accountants, read-only stakeholders.
Multi-role assignment
A member can hold multiple roles at once. Effective permissions are the union of every assigned role, with the most permissive scope wins.
Example: Sara is both a Sales Rep (custom role: crm.deal.list at team scope) and a Recruiting Coordinator (custom role: ats.candidate.list at team scope). She sees her sales team's deals and her recruiting team's candidates — without anyone needing to build a third hybrid role.
To add a role to a member:
- Go to Settings → Administration → Members.
- In the Roles column, click the + button on the member's row.
- Pick a role from the popover. The badge appears next to the existing roles.
- To remove a role, click the × on the role badge (only available when the member has more than one role — can't remove their last role).
Owner is special: the Owner-only permissions in the catalog (the "red list") can only be granted to the Owner system role. The database trigger blocks any attempt to grant them elsewhere.
Per-user module access
Even if a workspace pays for the Projects module, the Owner can grant access to it only to the people who need it. A 50-person agency might subscribe to all six modules but expose Finance only to the accounting team.
To manage a member's module access:
- Go to Settings → Administration → Members.
- In the Modules column, click the
5/13(or similar) chip on the member's row. - Tick or untick modules in the popover. Changes apply immediately.
New invites get every module enabled by default. You can change the default for new invites under workspace administration.
Permission scopes — all, team, own
Every grant on a role carries a scope. When you create or edit a custom role, you pick the scope per permission.
| Scope | Means |
|---|---|
| all | The user sees and can act on every matching record in the workspace. |
| team | The user sees and can act on records owned/assigned to themselves or anyone reporting to them (walked recursively up the manager chain). |
| own | The user only sees and can act on records they personally own or are assigned to. |
When a member holds multiple roles that grant the same permission, the most permissive scope wins (all > team > own).
The team scope walks manager chains recursively. A VP of Sales whose three regional managers each have five reps will see all 18 people's data when granted crm.deal.list at team scope. Set up the manager chain on the Members admin (each member's "Manager" column).
Custom roles
Custom roles are how you adapt Workestra to your organization's actual job titles.
Creating a custom role
- Go to Settings → Administration → Roles.
- Click Create Role.
- Enter a name (e.g. SDR — outbound only) and an optional description.
- Use the search box and module tabs to find the permissions you want.
- Tick each permission and pick its scope (
all/team/own). - Save.
The catalog has 867 permissions across 18 namespaces — workspace, CRM, ATS (recruiting), projects, support, finance, people, analytics, telephony, email, knowledge, time, automations, AI, integrations, audit, sequences, platform. Use the module tabs to narrow down.
Sample sector roles
| Role | Idea |
|---|---|
| SDR (Sales Dev Rep) | crm.contact.create/edit/view + crm.activity.create/log + email.send at own scope. No deal write, no quote write, no export. |
| Setter (appointment booker) | crm.contact.view + crm.activity.log_call + crm.appointment.book at own scope. No deal/invoice visibility at all. |
| Recruiting Coordinator | ats.candidate.view/edit + ats.interview.schedule + email.send at team scope. No salary visibility, no offer-stage. |
| Finance Viewer | finance.invoice.view + finance.expense.view + finance.report.view at all scope, no write anywhere. Good for external accountants. |
| Project Lead | Every projects.* permission at team scope plus crm.deal.view at team scope. |
| Support Agent (T1) | support.ticket.view/reply/assign at team scope, crm.contact.view at team scope. No deal visibility, no finance. |
Editing or deleting a custom role
- Go to Settings → Administration → Roles.
- Click the role name to edit.
- Modify permissions and click Save. Changes apply immediately to every member who holds the role.
- To delete: click Delete and reassign affected members to another role first.
Built-in roles (Owner, Admin, Manager, Member, Viewer) cannot be deleted.
Permission requests
When a member tries to do something they don't have permission for — for example, exporting contacts as a Member who lacks crm.contact.export — they can click Request access instead of being silently blocked. The request lands in the admin inbox.
As a member: requesting access
- When you hit a denied UI surface, look for the Request access button (usually next to the lock icon).
- Pick the scope you actually need (
ownis usually the most likely to be approved). - Optionally add a reason — a quick justification helps admins decide quickly.
- Submit. You'll get a notification when an admin approves or rejects.
As an admin: triaging requests
- Go to Settings → Administration → Permission Requests.
- The Pending tab shows new requests with the requester, the requested permission, the requested scope, and any reason they wrote.
- Click Approve or Reject. You can add a note that the requester will see.
- Approved requests automatically grant the permission via a per-user Custom Grants role — no need to edit a global role for one-off accommodations.
Custom Grants roles are one per member. The first time you approve a permission for Sara, the system creates the role Custom Grants: Sara, attaches it to her, and adds the permission. Future approvals add to the same role.
Manager hierarchy
Set up your reporting structure so team-scoped permissions resolve correctly.
- Go to Settings → Administration → Members.
- In the Manager column on each row, pick the person that member reports to.
- The chain is walked recursively — a member with three layers above them (rep → team lead → regional manager → VP) is correctly included in the VP's team scope.
Members with no manager set are top-level (only their own data, plus anyone who reports to them).
What gates the UI
Workestra hides or disables UI elements based on the caller's permissions. You'll see:
- Hidden — buttons, menu items, or whole pages disappear when the caller lacks the permission.
- Disabled with tooltip — sometimes the button stays visible but is greyed out, with a tooltip naming the missing permission. Click it to open a Request access dialog.
- Empty state with CTA — when a list is empty because the caller can't see any records, the empty state offers a Request access button.
| What the user sees | When |
|---|---|
| Module is hidden from the sidebar | Caller lacks <module>.module.access (workspace doesn't pay for it, or the Owner revoked it for this user) |
| Page renders an "access required" message | Caller has the module but lacks any read permission inside it |
| Create / edit / delete button is disabled | Caller lacks the corresponding write permission |
| Export / bulk button shows a lock icon | Caller lacks the corresponding *.export or *.bulk_* permission |
Best practices
Principle of least privilege
Grant the minimum each role needs. It's much easier to add a permission via a request later than to remove an over-granted one without breaking workflows.
- New stakeholders → start with Viewer.
- Active contributors → Member (
ownscope). - Anyone managing a team → Manager (
teamscope). - IT/operations leads → Admin.
- Reserve Owner for the founders / C-level.
Use scopes, not custom roles, for "same job, different territory"
If your sales team is split into "EU Reps" and "US Reps" with the same permissions but different data, don't create two custom roles. Set up the manager hierarchy correctly and use team scope on a single Sales Rep role — each rep automatically sees only their own region.
Quarterly access review
Once a quarter:
- Settings → Administration → Members — scan for users with elevated roles they no longer need.
- Settings → Administration → Roles — review custom roles for relevance; merge or retire ones you're no longer using.
- Settings → Security → Audit Log — check for permission grants and Owner-only actions.
- Remove access for departed teammates promptly.
Document custom roles
For each custom role, write a one-line description that answers:
- What is this role for?
- Who should have it?
- When should they get upgraded or downgraded?
The description is visible on the Roles admin page and helps anyone joining the workspace understand the model without having to inspect grants.
Next steps
- Members & teams — invite people and assign roles.
- Audit log — review permission grants and access changes.
- Data & privacy — export and deletion for compliance.