Roles and permissions
What each role can do — Owner, Admin, Editor, Reviewer, Viewer.
Last updated May 12, 2026
The five roles
| Role | Description |
|---|---|
| Owner | Workspace creator. Full access plus billing and workspace deletion. One per workspace. |
| Admin | Everything except billing and role-elevation. Multiple allowed. |
| Editor | Create, edit, approve drafts; run audits; publish. The default for content team members. |
| Reviewer | Read everything; approve / reject drafts. No publishing. For copy editors and legal reviewers. |
| Viewer | Read-only across the workspace. For clients and stakeholders. |
Permission matrix
| Action | Owner | Admin | Editor | Reviewer | Viewer |
|---|---|---|---|---|---|
| View companies, audits, content | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create / edit company | ✓ | ✓ | ✓ | — | — |
| Run audit | ✓ | ✓ | ✓ | — | — |
| Create / edit draft | ✓ | ✓ | ✓ | — | — |
| Approve / reject draft | ✓ | ✓ | ✓ | ✓ | — |
| Publish | ✓ | ✓ | ✓ | — | — |
| Manage integrations | ✓ | ✓ | — | — | — |
| Manage team | ✓ | ✓ | — | — | — |
| Promote / demote roles | ✓ | — | — | — | — |
| Access audit log | ✓ | ✓ | — | — | — |
| Manage API keys | ✓ | ✓ | — | — | — |
| Manage billing | ✓ | — | — | — | — |
| Delete workspace | ✓ | — | — | — | — |
Choosing a role
- External clients viewing progress? Viewer.
- In-house copywriter? Editor.
- Outside copy editor or legal reviewer? Reviewer.
- Marketing manager running the program? Admin.
- CFO who pays the bill? Owner (or just give them access to the billing portal email).
When in doubt, lean smaller. You can elevate later. Demoting is rare.
The Owner role
Exactly one Owner per workspace. The Owner:
- Created the workspace, OR
- Was promoted to Owner by the previous Owner (which automatically demotes the previous Owner to Admin), OR
- Took over via a transfer (rare; CS-assisted).
The Owner cannot remove themselves without first promoting another user to Owner. This prevents accidental orphan workspaces.
Domain restrictions
Workspaces can enforce that new invites come from a specific email domain:
Settings → Team → Domain restriction → Add domain (e.g. acme.com).
Once on, only invites to addresses on the allowed domain succeed. Useful for enterprises avoiding accidental personal-Gmail invites.
SSO and SCIM
Available on the Domination tier:
- SAML SSO with Okta, Azure AD, Google Workspace.
- SCIM provisioning for auto-create / auto-deactivate as employees join and leave your IdP.
Setup steps live at /docs/sso-setup (to be added in a future round).
Role of API keys
API keys are NOT users. They're workspace-scoped credentials with their own permission set. A key can be read-only or read-write, scoped to one company or all. See API keys and Authentication.
Audit-log visibility per role
Owners and Admins see the full audit log. Editors, Reviewers, and Viewers see a personal-actions-only filtered view: their own actions, but not the team's. This keeps the log useful for forensic purposes without overexposing team-internal observability to outside parties.
See also
- Team invites — how to send and manage invites.
- Workspace switching — for users who belong to multiple workspaces.
- Inviting your team — the original onboarding doc.
Was this article helpful?