Roles and Access Rights
⚠️ Who can manage roles and rights?
To manage users' roles and access rights, you must be the Admin or Manager level user.
- Roles and permissions apply per workspace. You must invite users to each workspace separately.
User roles
For each workspace, every user is assigned a role and given a defined set of access rights, which determine the capabilities a user has within the workspace and what they can see and change.
There are there different roles:
- Admin: Full control over the workspace and settings.
- Manager: Almost full access, but no access to subscription or customization settings.
- Regular User: Can view and work on projects depending on their specific access rights.
Owner: One per workspace. Manages billing and subscriptions.
💡 Good to know:
- The person who creates a workspace is automatically the Owner and Admin.
- New users are added as Regulars User with Manage access rights to all workspace items (read how to define precise access rights for Regular Users).
Access rights of Regular Users
Non-admin and non-manager role-level users are regular users. For them, you can define the access rights per sections (Projects & Activities, Participants, Documents, Budget & Expenses) and per specific items in these sections.
The following access rights options are available per each section and item:
- Manage: The user has full access to the data – can see, edit, and manage (add, move, or delete) workspace items.
- Edit: The user can see and edit workspace items, but cannot manage them.
- Read: The user can see workspace items, add comments and attachments, but cannot edit and manage items.
- Off: The user has no access to workspace items.
💡 Good to know:
- To view budget or expense data, a user needs at least Read access to the related project or activity and participant.
Using groups to set user access rights
Instead of assigning access rights to each user individually, you can organize workspace users into groups and manage their rights collectively. By assigning access rights to a group, all users in that group automatically receive those rights. When a user joins or leaves a group, their access rights are updated accordingly.
Groups can only be assigned the Regular User role. You cannot assign Admin, Manager, or Owner roles to groups.
⚠️ For important or sensitive access configurations, we recommend using restricted groups rather than open groups. In restricted groups, a designated Group Manager controls group membership.
🔍 Important notes on group-based access rights:
When users belong to multiple groups or have both individual and group access rights, users can have different access right sets, the system applies the strongest access right available across individual rights and group rights across multiple groups.
- Item-level rights override Section-level rights.
- Highest right takes precedence over weaker rights: Off < Read < Edit < Manage.
For example:
A user has:
- Read rights to the “Workplan” section (individually assigned)
- Off rights to the specific item WP1 (individually assigned)
- Is a member of a group with Edit rights to the entire “Workplan” section
Result:
The user will have Edit access to all items in the “Workplan” section, except WP1, because the Off setting at the item level overrides the section-level Edit rights.
💡 Tip: To check which groups a user belongs to and where their rights come from:
- Go to the Users section in the workspace.
- Enter the user’s email address in the search field.
- You’ll see the user and all groups they are part of.
Now you can easily review all rights the user has — both from individual settings and from group membership.