Roles and Permissions — Who Can Do What
Last updated: April 18, 2026
Wevion uses a role-based access control (RBAC) system to manage what each team member can see and do. Understanding roles is essential for setting up your team securely.
Prerequisites
- An Wevion account with an active subscription
- Owner or Super Admin access to manage team roles
How It Works
Every user in Wevion is assigned a role that determines their access level. Roles are hierarchical — higher roles include all permissions of lower roles.
Role Hierarchy
| Role | Level | Description |
|---|---|---|
| Super Admin | 100 | Full platform access. Bypasses all plan guards and can see all users across the platform. Reserved for platform administrators. |
| Owner | 80 | Workspace owner. Can manage team members, view all team data, impersonate media buyers, and access billing settings. |
| Media Buyer | 60 | Standard user. Can manage their own campaigns, ad accounts, and assets. Cannot see other team members' data. |
Permission Matrix
| Action | Super Admin | Owner | Media Buyer |
|---|---|---|---|
| View own dashboard & campaigns | Yes | Yes | Yes |
| Create/edit/publish campaigns | Yes | Yes | Yes |
| Connect Meta accounts | Yes | Yes | Yes |
| View own ad accounts & assets | Yes | Yes | Yes |
| Access Ads Manager | Yes | Yes | Yes |
| Use Campaign Launcher | Yes | Yes | Yes |
| Create/manage automation rules | Yes | Yes | Yes |
| View team members' data | Yes | Yes | No |
| Invite/remove team members | Yes | Yes | No |
| Impersonate team members | Yes | Yes | No |
| Access billing & subscription | Yes | Yes | No |
| View all users (platform-wide) | Yes | No | No |
| Bypass plan guards | Yes | No | No |
Data Isolation
Data in Wevion is isolated by session_id (your user ID). This ensures:
- Media Buyers can only see their own campaigns, ad accounts, insights, and assets
- Owners can see their own data plus all data from their team members (including deactivated members, to preserve historical data)
- Super Admins can see all data across the entire platform
This isolation is enforced at the database level — there is no way for a media buyer to access another user's data.
Step-by-Step Guide
Checking a Team Member's Role
- Navigate to Teams in the left sidebar (Owner/Super Admin only)
- The team members list shows each member's name, email, role, and status
- Each member's role is displayed in the Role column
Understanding Impersonation
Owners can "impersonate" a media buyer to see the platform from their perspective:
- Go to Teams
- Click on a team member
- Select Impersonate
- You'll now see the platform as that media buyer sees it
- A banner at the top reminds you that you're impersonating
- Click Exit Impersonation to return to your own view
Note: Impersonation is read-only in practice — it lets you view a media buyer's data but the session is identified as impersonation in logs.
Options and Configuration
| Setting | Who Can Change It | Description |
|---|---|---|
| Team member role | Owner, Super Admin | Set when inviting a member |
| Team member status | Owner, Super Admin | Active or deactivated |
| Data visibility | System-enforced | Based on role hierarchy |
FAQ
Can I create custom roles? No. Wevion currently supports three fixed roles: Super Admin, Owner, and Media Buyer. Custom roles are not available.
Can I change a team member's role after they join? Yes. Roles can be changed after a member has joined. Owners can update any member's role from the Team Management page.
What happens when a team member is deactivated? Their account is disabled (they cannot log in), but their historical data (spend, campaigns, conversions) remains visible to the owner. This ensures reports and aggregations are not affected.
Can a media buyer see other media buyers on the same team? No. Media buyers can only see their own data. They cannot see who else is on the team or access anyone else's campaigns or ad accounts.
Can I have multiple owners? No. Each workspace has one owner. If you need to transfer ownership, see Transferring Workspace Ownership.