Team collaboration & RBAC — complete guide
Last updated: May 19, 2026
Team collaboration & RBAC — complete guide
TL;DR: Wevion uses 7 roles (super_admin / admin / owner / manager / mediabuyer / finance / viewer) with hierarchical permissions. Add members, set roles, configure security (2FA + API keys), audit actions, manage Workspace Defaults + notifications. This pillar indexes everything team-related.
Table of contents
Roles + permissions (7 roles)
Verified hierarchy (level): super_admin(100) > admin(90) > owner(80) > manager(70) > mediabuyer(60) > finance(50) > viewer(40).
super_admin: cross-org (rare; typically Wevion internal)owner: workspace billing + full controladmin: strategic / governancemanager: team management + oversightmediabuyer: daily campaign opsfinance: billing-related onlyviewer: read-only
See team-101 roles + permissions overview.
Invite + manage members
/settings → Team → Members → Invite member → email + role → invite sent.
Removed members lose access immediately; their history preserved
Transfer ownership
Single owner per team. Outgoing owner picks new owner → new owner accepts.
Old owner becomes admin (or removed) post-transfer
Always have backup admins (solo-owner = single point of failure)
Workspace settings
/settings → Workspace:
Default currency
Default timezone
Branding (logo, colors)
Domain (custom for enterprise tier)
Audit log
Append-only record of all significant actions (create / update / delete / share / toggle).
/settings → Audit log (admin / owner).
API:
GET /api/v1/audit-logs(filterable)
Security: 2FA + API keys
2FA (Two-Factor Authentication)
Strongly recommended for all users (mandatory for some workspace policies):
TOTP authenticator (Google Authenticator, Authy, 1Password)
Email OTP fallback
Backup codes (save securely)
tr-108 2FA recovery if device lost
API keys
Programmatic access (CI/CD, scripts, integrations):
Generate at
/settings → API keysPer-key scope + rate limit
Hashed; full value shown once
Notifications preferences
22 notification types × 5 channels (in-app, email, push, Telegram, Slack).
Per-user + team-level overrides + role defaults (ROLE_DEFAULTS matrix)
FAQ
What's the max team size?
Per plan tier. See acc-108 pricing tiers.
Can one user belong to multiple teams?
Yes. Each team has its own RBAC + data isolation.
What's impersonation?
Super_admin / owner can impersonate other users via x-impersonate-user header. Original admin logged in request.adminUser for audit.
Can I have multiple admins?
Yes — unlike owner (single per team), admin role can have multiple. Recommended for redundancy.
How do I deactivate (vs delete) a user?
Remove from team via team-103 — they lose access; history preserved. For permanent GDPR deletion: contact admin → support.
External collaborators?
Two paths: invite as Wevion member (full Wevion access) OR share specific Creative Hub files via Drive permissions (ch-105 share external).
Next steps
First-time setup: team-101 roles + permissions → team-103 invite members → team-114 2FA setup
Workspace transition: team-105 transfer ownership
Audit / compliance review: team-113 audit log
Security incident: tr-108 2FA recovery + contact support
Related
ai-110 Wavo privacy — AI data isolation in team