Roles and Permissions
Ansehn uses a two-tier role-based access control (RBAC) system that provides granular control over what users can do within your organization. This guide will help you understand the available roles, their permissions, and how to effectively manage access for your team.
For detailed information on inviting users to Ansehn, please visit our Invite users page.
Two-Tier Role System
Ansehn operates on two levels:
- Organization Role: Your baseline role in the organization (controls access to billing, team management, and organization settings)
- Project Role: Project-specific roles that can differ from your organization role
This separation allows for flexible access control where users can have different roles for different projects while maintaining a consistent organization role.
Available Roles
Ansehn provides four distinct roles, each designed for specific use cases:
| Role | Best For | Key Capabilities |
|---|---|---|
| Owner | Founders, executives | Full access including billing, team management, and all features |
| Admin | Managers, directors | Project management, team invitations, analytics (limited org management) |
| Agency | External partners, consultants | Full project access with collaboration capabilities |
| Viewer | Stakeholders, read-only users | View-only access to projects and analytics |
Project Role Overrides
One of Ansehn's most powerful features is the ability to grant users different roles for specific projects. This allows for fine-grained access control tailored to your organizational structure.
How It Works
A user's effective permissions for a project are determined by resolving:
- Organization Role (baseline): Their default role in the organization
- Project Role (override): A project-specific role that can differ from their org role
The project role completely overrides the organization role for that specific project, granting the permissions associated with the project role instead.
Example Scenarios
Scenario 1: Elevated Project Access
User Sarah
- Organization Role: Viewer
- Project Role "Client Project B": Admin
- Project Role "Client Project B": No Access
Result:
- Has no access to Organization settings
- Has full Admin access to "Client Project A"
- "Client Project B" does not even appear in the project list
Effective Result: User Sarah has Admin permissions on Project Client Project A, Viewer permissions everywhere else.
Understanding Roles vs. Permissions
Roles and Permissions are related but distinct concepts:
- Roles: Labels assigned to users (Owner, Admin, Agency, Viewer)
- Permissions: Specific capabilities granted by those roles (canCreateProjects, canEditMonitors, etc.)
The relationship: Role → Grants → Permissions
For example, the Admin role automatically grants permissions like canCreateMonitors, canEditPrompts, canViewAnalytics, etc.
Permission Comparison Matrix
Organization-Level Permissions
| Permission | Owner | Admin | Agency | Viewer |
|---|---|---|---|---|
| Organization Management | ||||
| View organization settings | ✅ | ✅ | ❌ | ❌ |
| Edit organization settings | ✅ | ✅ | ❌ | ❌ |
| Delete organization | ✅ | ❌ | ❌ | ❌ |
| Manage API keys | ✅ | ❌ | ❌ | ❌ |
| Configure integrations | ✅ | ✅ | ❌ | ❌ |
| Billing & Subscriptions | ||||
| View billing information | ✅ | ✅ | ❌ | ❌ |
| Manage subscriptions | ✅ | ✅ | ❌ | ❌ |
| Team Management | ||||
| View team members | ✅ | ✅ | ✅ | ✅ |
| Invite users | ✅ | ✅ | ❌ | ❌ |
| Change user roles | ✅ | ✅ | ❌ | ❌ |
| Remove users | ✅ | ❌ | ❌ | ❌ |
| Deactivate users | ✅ | ❌ | ❌ | ❌ |
| Project Management | ||||
| Create projects | ✅ | ✅ | ✅ | ❌ |
| Delete projects | ✅ | ✅ | ❌ | ❌ |
Project-Level Permissions
| Permission | Owner | Admin | Agency | Viewer |
|---|---|---|---|---|
| Project Access | ||||
| View projects | ✅ | ✅ | ✅ | ✅ |
| Edit projects | ✅ | ✅ | ✅ | ❌ |
| Monitors | ||||
| View monitors | ✅ | ✅ | ✅ | ✅ |
| Create monitors | ✅ | ✅ | ✅ | ❌ |
| Edit monitors | ✅ | ✅ | ✅ | ❌ |
| Delete monitors | ✅ | ✅ | ❌ | ❌ |
| Prompts | ||||
| View prompts | ✅ | ✅ | ✅ | ✅ |
| Create prompts | ✅ | ✅ | ✅ | ❌ |
| Edit prompts | ✅ | ✅ | ✅ | ❌ |
| Delete prompts | ✅ | ✅ | ❌ | ❌ |
| Execute prompts | ✅ | ✅ | ✅ | ❌ |
| Analytics & Data | ||||
| View analytics | ✅ | ✅ | ✅ | ✅ |
| Export data | ✅ | ✅ | ✅ | ❌ |
| View competitor data | ✅ | ✅ | ✅ | ✅ |
| Access advanced analytics | ✅ | ✅ | ✅ | ❌ |
Best Practices
Role Assignment Guidelines
Start Conservative, Promote Gradually
New User → Viewer → Agency → Admin → Owner
Begin with minimal access and increase permissions as trust and needs grow.
Use Project Overrides Strategically
- Client-specific access: Give external partners access only to their projects
- Confidential projects: Restrict access even for high-level roles
- Training projects: Give elevated access to specific projects for learning
Role Selection by Use Case
| Use Case | Recommended Role | Project Overrides |
|---|---|---|
| External marketing agency | Agency | Admin on client projects |
| Freelance consultant | Viewer | Admin on specific project |
| Client stakeholder | Viewer | Viewer on their project only |
| Department head | Admin | Admin on all department projects |
| Executive oversight | Viewer | Viewer on all projects |
| Finance/billing admin | Owner | N/A (needs org-level access) |
| New employee (onboarding) | Viewer | Gradually add project access |
Security Recommendations
Regular Audits
- Review team members quarterly
- Remove inactive users promptly
- Verify role assignments match current responsibilities
- Check project-specific permissions for accuracy
Principle of Least Privilege
- Grant minimum necessary permissions
- Use project overrides to limit access
- Avoid making everyone an Admin
External Collaboration
- Use Agency role for external partners
- Apply project-specific permissions for client work
- Set project role to None for confidential projects
- Review external access during offboarding
Invitation Management
- Monitor pending invitations
- Expire and resend stale invitations
- Verify email addresses before sending
- Document who invited whom (automatic audit trail)
FAQ and Troubleshooting
Can a user be promoted to Owner?
Yes, but only the current Owner can do this. Note that you can only have one Owner, so the current Owner would need to transfer ownership, which requires contacting support.
Can project permissions grant more access than organization role?
Yes! This is a key feature. A Viewer at the organization level can have Admin access to specific projects through project role overrides.
What happens when a user is deactivated?
- User immediately loses access to the organization
- All historical data remains intact
- Project assignments are preserved
- Can be reactivated by Owner by contacting support.
Can Agency users invite other Agency users?
No. Only Owners and Admins can invite new team members.
Do project permissions affect billing access?
No. Billing access is purely organization-level. Only Owners and Admins can view/manage billing regardless of project permissions.
Can I have multiple Owners?
No. Only one Owner per organization is enforced by the system for security and accountability. Consider using Admin role for additional leadership team members.
What happens to projects when the Owner leaves?
Projects remain intact as they belong to the organization, not individual users. You'll need to assign a new Owner (contact support for ownership transfer).
I can't invite team members
Check: Your role must be Owner or Admin Solution: Ask an Owner or Admin to invite the user, or request a role upgrade
A user can't see a specific project
Check: Project-specific permissions might be set to "None" Solution: Navigate to Settings → Team → Edit user → Update project permissions
A user has too much access to a project
Check: Either organization role is too high or project override is too permissive Solution: Either lower org role or add project-specific restriction
An invitation has expired
Check: Invitations expire after 48 hours Solution: Resend invitation from Settings → Team → Pending Invitations