Team collaboration & RBAC — complete guide

7 roles, invite + manage, ownership transfer, 2FA, API keys, audit log, notification preferences. Owner / admin / manager team setup hub.

Written By Salvatore Sinigaglia

Last updated About 4 hours ago

7 roles, invite + manage, ownership transfer, 2FA, API keys, audit log, notification preferences. Owner / admin / manager team setup hub.

Team collaboration & RBAC — complete guide

TL;DR: Wevion uses role levels (super_admin / admin / owner / manager / mediabuyer / finance / viewer) plus explicit permission groups in code. Add members, set roles, configure security (2FA + API keys), audit actions, manage Workspace Defaults + notifications. This pillar indexes everything team-related.

Table of contents

Roles + permissions (7 roles)

Verified hierarchy (level): super_admin(100) > admin(90) > owner(80) > manager(70) > mediabuyer(60) > finance(50) > viewer(40).

  • super_admin: cross-org (rare; typically Wevion internal)
  • owner: workspace billing + full control
  • admin: strategic / governance
  • manager: campaign oversight + reads team data (no invites/role changes, no billing)
  • mediabuyer: daily campaign ops; connects ad platforms
  • finance: read-only on performance; can view invoices but cannot manage billing
  • viewer: read-only

See team-101 roles + permissions overview.

Invite + manage members

/settings → Team → Members → Invite member → email + role → invite sent.

Transfer ownership

Single owner per team. The current owner confirms with their password and picks a new owner from active members.

  • team-105 transfer ownership
  • Old owner is demoted to mediabuyer post-transfer
  • Only the owner can transfer (super_admin must act via impersonation)

Workspace settings

Settings → Team → Workspace Defaults manages the team-wide dashboard preset, home hub layout, member policy flags, and conversion source. Timezone, currency, and language are personal display preferences under Settings → Personal → Appearance.

Audit log

Append-only record of all significant actions (create / update / delete / share / toggle).

/settings → Audit log (admin / owner).

  • team-113 audit log
  • API: GET /api/v1/audit-log (singular; filterable) + GET /api/v1/audit-log/export
  • Action names use dot-notation (e.g. member.role-change, campaign.publish)

Security: 2FA + API keys

2FA (Two-Factor Authentication)

Strongly recommended for all users (mandatory for some workspace policies):

API keys

Programmatic access (CI/CD, scripts, integrations):

  • Generate at Settings → Team → API Keys (super_admin/admin/owner)

  • Authenticate with the x-api-key header

  • Per-key permissions (rate limit applied server-side, no per-key override)

  • Hashed; full value shown once

  • team-112 API keys

Notifications preferences

Notification event types and channels are code-owned in notification-defaults.ts and related services. Legacy channels include in-app, email, push, and Telegram; Slack belongs to the newer notification/event work and should be verified before promising it here.

FAQ

What's the max team size?

Per plan tier. See acc-108 pricing tiers.

Can one user belong to multiple teams?

Yes. Each team has its own RBAC + data isolation.

What's impersonation?

Super_admin / owner can impersonate other users via x-impersonate-user header. Original admin logged in request.adminUser for audit.

Can I have multiple admins?

Yes — the owner is single per team, but you can have multiple admins. Recommended for redundancy.

How do I deactivate (vs remove) a user?

From Settings → Team → People, the row menu offers Deactivate (locks them out, keeps the seat) and Remove (removes them from the team). See team-107. For permanent GDPR deletion, contact support.

External collaborators?

Two paths: invite as Wevion member (full Wevion access) OR share specific Creative Hub files via Drive permissions (ch-105 share external).

Next steps

FAQ

What's the max team size?

Per plan tier. See acc-108 pricing tiers.

Can one user belong to multiple teams?

Yes. Each team has its own RBAC + data isolation.

What's impersonation?

Super_admin / owner can impersonate other users via x-impersonate-user header. Original admin logged in request.adminUser for audit.

Can I have multiple admins?

Yes — the owner is single per team, but you can have multiple admins. Recommended for redundancy.

How do I deactivate (vs remove) a user?

From Settings → Team → People, the row menu offers Deactivate (locks them out, keeps the seat) and Remove (removes them from the team). See team-107. For permanent GDPR deletion, contact support.

External collaborators?

Two paths: invite as Wevion member (full Wevion access) OR share specific Creative Hub files via Drive permissions (ch-105 share external).

Last updated: 2026-05-17