Roles and permissions — full reference
Last updated: May 19, 2026
Roles and permissions — full reference
Wevion has 7 roles organized by power level: super_admin (100) > admin (90) > owner (80) > manager (70) > mediabuyer (60) > finance (50) > viewer (40). Roles are assigned per workspace — the same user can be Owner in one workspace and Viewer in another. This article is the granular reference; for a 5-minute orientation see roles quickstart.
Who is this for
Admins setting permissions for the first time, owners restructuring access after a team grows, or anyone trying to figure out why they hit a "permission denied" error.
The 7 roles at a glance
Role | Power | One-line description |
|---|---|---|
super_admin | 100 | Organization-wide control across all workspaces. Reserved for platform admins. |
admin | 90 | Full control of a single workspace including settings + integrations. |
owner | 80 | Owns billing within a workspace (also full workspace control). |
manager | 70 | Day-to-day campaign and people management; no billing access. |
mediabuyer | 60 | Launches and edits campaigns; no team or billing access. |
finance | 50 | Read-only on performance; full access to billing and invoices. |
viewer | 40 | Read-only across the entire workspace. |
These values are authoritative — sourced from apps/backend/src/utils/roles.ts (ROLE_LEVELS).
Full permission matrix
✅ = allowed, — = blocked, 👁 = read-only
Action | viewer | finance | mediabuyer | manager | admin / owner | super_admin |
|---|---|---|---|---|---|---|
Dashboard & analytics | ||||||
View dashboard + reports | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Export reports to CSV | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Use Cross-Channel Analytics | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Campaigns | ||||||
View campaigns / ad sets / ads | ✅ | 👁 | ✅ | ✅ | ✅ | ✅ |
Launch campaign | — | — | ✅ | ✅ | ✅ | ✅ |
Edit campaign / ad set / ad | — | — | ✅ | ✅ | ✅ | ✅ |
Pause / resume / archive | — | — | ✅ | ✅ | ✅ | ✅ |
Bulk Launch | — | — | ✅ | ✅ | ✅ | ✅ |
Delete campaign | — | — | — | ✅ | ✅ | ✅ |
Creative Hub | ||||||
View Creative Hub | ✅ | 👁 | ✅ | ✅ | ✅ | ✅ |
Upload creatives | — | — | ✅ | ✅ | ✅ | ✅ |
Use AI generation | — | — | ✅ | ✅ | ✅ | ✅ |
Delete creatives | — | — | ✅ | ✅ | ✅ | ✅ |
Rules Engine | ||||||
View rules | ✅ | 👁 | ✅ | ✅ | ✅ | ✅ |
Create / edit rules | — | — | ✅ | ✅ | ✅ | ✅ |
Activate / deactivate rules | — | — | ✅ | ✅ | ✅ | ✅ |
Delete rules | — | — | ✅ | ✅ | ✅ | ✅ |
Wavo (AI assistant) | ||||||
Ask Wavo questions | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Trigger Wavo actions | — | — | ✅ | ✅ | ✅ | ✅ |
Integrations | ||||||
View connected accounts | ✅ | 👁 | ✅ | ✅ | ✅ | ✅ |
Connect new ad platform | — | — | — | ✅ | ✅ | ✅ |
Disconnect platform | — | — | — | ✅ | ✅ | ✅ |
Reconnect OAuth (expired token) | — | — | — | ✅ | ✅ | ✅ |
Team management | ||||||
View team / People page | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Invite new members | — | — | — | ✅ | ✅ | ✅ |
Change member roles | — | — | — | ✅ | ✅ | ✅ |
Remove members | — | — | — | ✅ | ✅ | ✅ |
Transfer workspace ownership | — | — | — | — | ✅ owner only | ✅ |
Billing | ||||||
View invoices | — | ✅ | — | — | ✅ | ✅ |
Update payment method | — | ✅ | — | — | ✅ | ✅ |
Upgrade / downgrade plan | — | ✅ | — | — | ✅ owner only | ✅ |
Buy extra seats | — | ✅ | — | — | ✅ owner only | ✅ |
Cancel subscription | — | — | — | — | ✅ owner only | ✅ |
Workspace settings | ||||||
Edit Workspace Defaults | — | — | — | — | ✅ | ✅ |
Edit workspace branding | — | — | — | — | ✅ | ✅ |
Delete workspace | — | — | — | — | ✅ owner only | ✅ |
Security | ||||||
View own audit log entries | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
View workspace audit log | — | — | — | — | ✅ | ✅ |
Export audit log | — | — | — | — | ✅ | ✅ |
Create API keys (own) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Revoke API keys (own) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Impersonate user | — | — | — | — | ✅ owner only | ✅ |
Cross-org impersonate | — | — | — | — | — | ✅ |
How permissions are enforced
Backend uses hasMinimumRole(userRole, minimumRole) from apps/backend/src/utils/roles.ts — your role's power level must meet or exceed the required level. Routes use onRequest: [app.requireRole(...)] decorators to gate access. UI greys out buttons your role can't trigger and shows a tooltip explaining the reason.
Roles vs Teams (different concept)
Don't confuse roles with Teams. Roles set what a user CAN do across the workspace. Teams (team_membership in DB) are an optional grouping inside a workspace used for per-ad-account sharing. You can have a workspace without ever creating a Team — assign roles directly.
Special: super_admin
super_admin is set at Organization level, not workspace level. Visible to other super admins only. Bypasses all workspace-level RBAC checks (getAccessibleTeamIds returns all). Use sparingly — typically 1-2 super admins per Org (founder + CTO).
To grant: must already be super_admin. The first super_admin is set automatically on the user who creates the Organization.
Multi-workspace pattern
A common agency setup:
Person | Workspace A (client 1) | Workspace B (client 2) | Workspace C (own ops) |
|---|---|---|---|
Sara (founder) | super_admin | super_admin | super_admin |
Marco (account mgr) | admin | admin | viewer |
Luca (creative) | mediabuyer | viewer | mediabuyer |
Anna (finance) | finance | finance | finance |
Each membership counts as 1 seat only if the user is unique — seats are per-Organization, not per-membership.
Customization
Custom roles are not supported. You're limited to the 7 built-in roles. Custom RBAC is on the roadmap (Enterprise customers can negotiate group-based filters via SSO).
Common questions
Can finance see ad performance? Yes, read-only. They can export reports for accounting but cannot edit campaigns.
Can a viewer use Wavo? Yes — they can ask questions. They cannot trigger actions (Wavo refuses, suggests they ask an admin).
Why does my admin see different things than another admin? Different workspaces. Roles are per-workspace.
Can a member be in multiple Teams within a workspace? Yes — each Team has its own scope of ad accounts.
What if a role's power level changes in a future release? Migration handled automatically; documented in release notes.
Related
Roles and permissions in 5 minutes — short orientation
The 3-tier hierarchy — where roles live
Assign and change roles — the operational article