Roles and permissions in Oneflow
| INCLUDED IN This feature is included in our Business and Enterprise Plan |
Roles determine what a user can access and which actions they can perform. A user can have multiple roles at the same time, depending on what they need access to.
As a Oneflow account administrator, you can control what your colleagues are allowed to do in Oneflow by assigning roles with specific permissions.
The predefined roles are:
- Account administrator
- Workspace member
- Workspace read-only
- Workspace manager
Predefined roles are locked and marked with a padlock icon. They are designed for different levels of access, either at the account level or the workspace level.
| INFORMATION Predefined roles cannot be edited or removed. If you need to customize permissions or create new roles, you can use custom roles. Custom roles are not included in the Business plan. đź”—Click here to read more about custom roles |
View role permissions
Before assigning a role, you can review the permissions included in each role.
- Go to Admin > Roles.
- Select one of the predefined roles.
- Open the Permissions tab.
From here, you can see which permissions are included in the selected role.
Account administrator role
The Account administrator role is an account-level role used to manage the account from an administrative perspective.
At least one user must have the Account administrator role.
Account administrators can access settings under Admin and Marketplace, including:
- Account configuration
- Marketplace activation
- Integration and playbook setup
- User invitations
- License management
- Account setup
- Workspace administration
NOTE It only gives permission to manage workspaces from an admin level. To work inside a workspace, the user also needs a role with workspace permissions. |
View, grant, or remove account administrator access
To view which users have administrator access, or to assign the Account administrator role:
- Go to Admin > Account access.
- View the users with account-level access.
- Grant or remove roles as needed.
Access levels
You can choose whether a user should have access to all workspaces on the account or only to specific workspaces.
To work inside a workspace, a user must first be granted workspace access. You can grant access in two ways:
- Account level — gives access to all workspaces
- Workspace level — gives access to one specific workspace
User access at account level
Use account-level access when a user should have the same workspace role across all workspaces on the account.
- Go to Admin > Account access.
- Click Grant user access.
- Select the user.
- Select one of the predefined workspace roles. > Confirm.
NOTE For example, if you assign the Workspace member role at account level, the user becomes a member of all workspaces. |
User access at workspace level
Use workspace-level access when a user should only have access to a specific workspace.
- Go to Admin > Workspaces.
- Find the workspace you want to manage.
- Click the action menu. > Select Grant user access. >Choose the user.
- Select the role the user should have in that workspace. > Click Confirm.
How role context affects permissions
You can assign predefined roles in different places, but not all roles grant permissions in every context.
For example, assigning the Workspace member role under Account access gives the user member access to all workspaces.
However, assigning the Account administrator role under Workspace access does not grant account administrator permissions.
INFORMATION Account-level workspace access applies to all workspaces. Workspace-level access applies only to the selected workspace. |
Manage a user’s access
If you need an overview of a specific user’s access and permissions, you can open the user settings.
To manage a user’s access:
- Go to Admin > Users.
- Click the user’s name.
From here, you can see:
- Which workspaces the user has access to
- Which role the user has in each workspace
- Whether the user has account administrator access
You can also update roles or remove access directly from this view.