Team collaboration & RBAC — complete guide
7 roles, invite + manage, ownership transfer, 2FA, API keys, audit log, notification preferences. Owner / admin / manager team setup hub.
Written By Salvatore Sinigaglia
Last updated About 4 hours ago
7 roles, invite + manage, ownership transfer, 2FA, API keys, audit log, notification preferences. Owner / admin / manager team setup hub.
Team collaboration & RBAC — complete guide
TL;DR: Wevion uses role levels (super_admin / admin / owner / manager / mediabuyer / finance / viewer) plus explicit permission groups in code. Add members, set roles, configure security (2FA + API keys), audit actions, manage Workspace Defaults + notifications. This pillar indexes everything team-related.
Table of contents
- Roles + permissions (7 roles)
- Invite + manage members
- Transfer ownership
- Workspace settings
- Audit log
- Security: 2FA + API keys
- Notifications preferences
- FAQ
- Next steps
Roles + permissions (7 roles)
Verified hierarchy (level): super_admin(100) > admin(90) > owner(80) > manager(70) > mediabuyer(60) > finance(50) > viewer(40).
super_admin: cross-org (rare; typically Wevion internal)owner: workspace billing + full controladmin: strategic / governancemanager: campaign oversight + reads team data (no invites/role changes, no billing)mediabuyer: daily campaign ops; connects ad platformsfinance: read-only on performance; can view invoices but cannot manage billingviewer: read-only
See team-101 roles + permissions overview.
Invite + manage members
/settings → Team → Members → Invite member → email + role → invite sent.
- team-103 invite + manage members
- team-104 member status + activity
- Removed members lose access immediately; their history preserved
Transfer ownership
Single owner per team. The current owner confirms with their password and picks a new owner from active members.
- team-105 transfer ownership
- Old owner is demoted to mediabuyer post-transfer
- Only the owner can transfer (super_admin must act via impersonation)
Workspace settings
Settings → Team → Workspace Defaults manages the team-wide dashboard preset, home hub layout, member policy flags, and conversion source. Timezone, currency, and language are personal display preferences under Settings → Personal → Appearance.
Audit log
Append-only record of all significant actions (create / update / delete / share / toggle).
/settings → Audit log (admin / owner).
- team-113 audit log
- API:
GET /api/v1/audit-log(singular; filterable) +GET /api/v1/audit-log/export - Action names use dot-notation (e.g.
member.role-change,campaign.publish)
Security: 2FA + API keys
2FA (Two-Factor Authentication)
Strongly recommended for all users (mandatory for some workspace policies):
TOTP authenticator (Google Authenticator, Authy, 1Password)
Email OTP fallback
Backup codes (save securely)
tr-108 2FA recovery if device lost
API keys
Programmatic access (CI/CD, scripts, integrations):
Generate at
Settings → Team → API Keys(super_admin/admin/owner)Authenticate with the
x-api-keyheaderPer-key permissions (rate limit applied server-side, no per-key override)
Hashed; full value shown once
Notifications preferences
Notification event types and channels are code-owned in notification-defaults.ts and related services. Legacy channels include in-app, email, push, and Telegram; Slack belongs to the newer notification/event work and should be verified before promising it here.
- team-115 notification center
- team-116 customize notifications
- Per-user + team-level overrides + role defaults (ROLE_DEFAULTS matrix)
FAQ
What's the max team size?
Per plan tier. See acc-108 pricing tiers.
Can one user belong to multiple teams?
Yes. Each team has its own RBAC + data isolation.
What's impersonation?
Super_admin / owner can impersonate other users via x-impersonate-user header. Original admin logged in request.adminUser for audit.
Can I have multiple admins?
Yes — the owner is single per team, but you can have multiple admins. Recommended for redundancy.
How do I deactivate (vs remove) a user?
From Settings → Team → People, the row menu offers Deactivate (locks them out, keeps the seat) and Remove (removes them from the team). See team-107. For permanent GDPR deletion, contact support.
External collaborators?
Two paths: invite as Wevion member (full Wevion access) OR share specific Creative Hub files via Drive permissions (ch-105 share external).
Next steps
- First-time setup: team-101 roles + permissions → team-103 invite members → team-111 2FA setup
- Workspace transition: team-105 transfer ownership
- Audit / compliance review: team-113 audit log
- Security incident: tr-108 2FA recovery + contact support
FAQ
What's the max team size?
Per plan tier. See acc-108 pricing tiers.
Can one user belong to multiple teams?
Yes. Each team has its own RBAC + data isolation.
What's impersonation?
Super_admin / owner can impersonate other users via x-impersonate-user header. Original admin logged in request.adminUser for audit.
Can I have multiple admins?
Yes — the owner is single per team, but you can have multiple admins. Recommended for redundancy.
How do I deactivate (vs remove) a user?
From Settings → Team → People, the row menu offers Deactivate (locks them out, keeps the seat) and Remove (removes them from the team). See team-107. For permanent GDPR deletion, contact support.
External collaborators?
Two paths: invite as Wevion member (full Wevion access) OR share specific Creative Hub files via Drive permissions (ch-105 share external).
Last updated: 2026-05-17