Roles & permissions

Roles are how you decide what people can and can’t do in your workspace. Instead of flipping dozens of switches for every person, you group permissions into a role and assign that role to members. It keeps access simple to reason about and easy to change.

How it works, in plain terms

Think of a permission as a single “you may do this” — for example, invite users or manage billing. A role is a labeled bundle of those permissions, like a key ring. When you give someone a role, they get every permission on that ring.

This approach is called role-based access control (RBAC). Its whole point is that you manage a few roles, not hundreds of individual settings.

Built-in roles

Every workspace starts with sensible defaults:

Role	Roughly speaking
Admin	Full control — manage members, roles, billing, and account settings.
User	A regular member who can collaborate across the workspace.

Most people should be Users. Keep the number of Admins small — just enough that your team is never locked out.

Custom roles

Admins can create custom roles when the built-in two aren’t enough. A custom role is your own named bundle of permissions — handy when you want, say, a “Billing manager” who can handle invoices but not change everyone’s roles. You pick exactly which permissions go on the ring.

Examples of the kinds of permissions you can grant:

Invite users
Manage roles
Manage billing
Manage account settings

The golden rule: the server decides

Here’s the most important thing to understand, and it’s good news for your security.

This means you can trust roles to actually protect your data, not just declutter the interface.

External guests

Guests are a special, system-managed role for people outside your workspace whom you’ve invited into specific conversations. They’re deliberately limited — they see only what you’ve shared with them, not your whole workspace. See Invites & guests for the details.