Scope permission grants — roles on org, workspace or team
Grant a user a role on a specific organization, workspace, legal entity or team at Settings → RBAC → Permissions. Admin+ at that scope required.
Written By Salvatore Sinigaglia
Last updated About 2 hours ago
Grant a user a role on a specific organization, workspace, legal entity or team at Settings → RBAC → Permissions. Admin+ at that scope required.
Scope permission grants — roles on org, workspace or team
Permission grants give a specific user a role on a specific scope — an organization, workspace, legal entity, or team. They live at Settings → RBAC → Permissions (
/settings/rbac/permissions) and let super_admin, admin, and owner roles assign granular access beyond a person's base role. Each grant is a single row you can create and revoke.
Who is this for
Admins running multi-scope setups (agencies, holdings, multi-brand teams) who need to give someone, say, manager on one workspace and viewer on another — instead of one blanket role everywhere.
What a grant is
A grant binds four things:
The page lists the current grants for the organization scope, showing each user (name, email, or ID), their role, and the scope_type:scope_id they hold it on.
Grant a role
- Open Settings → RBAC → Permissions.
- Click Grant permission.
- Fill the dialog:
- User ID — the user to grant to.
- Role — pick from admin, owner, manager, mediabuyer, finance, viewer.
- Scope type — organization, workspace, legal entity, or team.
- Scope ID — the ID of the specific scope.
- Confirm. Backend calls
POST /api/v1/rbac/permissions. You must hold admin-level access at the target scope for the grant to succeed.
Revoke a grant
- Find the grant in the list.
- Click the trash icon and confirm.
- The grant is soft-deleted. Backend calls
DELETE /api/v1/rbac/permissions/:id.
How grants relate to base roles
A user's effective access is the combination of their base role and any explicit grants. Grants are the mechanism for scoped roles — different roles on different workspaces or teams — whereas a base role applies broadly. For the day-to-day flow of setting a member's role, see assign roles; for the full role model, see roles and permissions overview.
Roles and access
- Listing, granting, and revoking all require super_admin, admin, or owner.
- The backend additionally checks you have admin-level access at the requested scope — you can only grant within scopes you administer (super_admin acts globally).
- Grants are soft-deleted on revoke, so history is preserved.
FAQ
How do I give someone a role on just one workspace?
Open Settings → RBAC → Permissions as a super_admin, admin, or owner and click Grant permission. Enter the user's ID, pick the role, set the scope type to workspace, and provide that workspace's scope ID. Wevion creates a scoped grant via POST /api/v1/rbac/permissions, giving the user that role only on the chosen workspace. You must administer the target scope for the grant to succeed.
What scopes can I grant a role on?
Wevion supports four scope types for permission grants: organization, workspace, legal entity, and team. Each grant pairs a role (admin, owner, manager, mediabuyer, finance, or viewer) with a specific scope ID, so the same user can hold different roles on different scopes. The backend requires you to have admin-level access at the target scope before it accepts the grant.
How do I revoke someone's scoped access?
On Settings → RBAC → Permissions, find the grant in the list, click the trash icon, and confirm. Wevion soft-deletes the grant via DELETE /api/v1/rbac/permissions/:id, so the record is preserved for audit while the access is removed. Revoking requires a super_admin, admin, or owner role with administrative access to the grant's scope.
What's the difference between a base role and a permission grant?
A base role applies broadly to a user's account, while a permission grant assigns a role on one specific scope — an organization, workspace, legal entity, or team. Grants let you give someone, for example, manager on one workspace and viewer on another. Effective access combines the base role with any explicit scoped grants; use grants for granular, per-scope access.
Steps
- Open Settings → RBAC → Permissions.
- Click Grant permission.
- Fill the dialog:
- Confirm. Backend calls POST /api/v1/rbac/permissions. You must hold admin-level access at the target scope for the grant to succeed.
Last updated: 2026-07-02