Scope permission grants — roles on org, workspace or team

Grant a user a role on a specific organization, workspace, legal entity or team at Settings → RBAC → Permissions. Admin+ at that scope required.

Written By Salvatore Sinigaglia

Last updated About 2 hours ago

Grant a user a role on a specific organization, workspace, legal entity or team at Settings → RBAC → Permissions. Admin+ at that scope required.

Scope permission grants — roles on org, workspace or team

Permission grants give a specific user a role on a specific scope — an organization, workspace, legal entity, or team. They live at Settings → RBAC → Permissions (/settings/rbac/permissions) and let super_admin, admin, and owner roles assign granular access beyond a person's base role. Each grant is a single row you can create and revoke.

Who is this for

Admins running multi-scope setups (agencies, holdings, multi-brand teams) who need to give someone, say, manager on one workspace and viewer on another — instead of one blanket role everywhere.

What a grant is

A grant binds four things:

FieldMeaning
UserThe user receiving the role (by user ID).
RoleThe role to assign: admin, owner, manager, mediabuyer, finance, or viewer.
Scope typeWhere it applies: organization, workspace, legal entity, or team.
Scope IDThe specific organization/workspace/entity/team the role applies to.

The page lists the current grants for the organization scope, showing each user (name, email, or ID), their role, and the scope_type:scope_id they hold it on.

Grant a role

  1. Open Settings → RBAC → Permissions.
  2. Click Grant permission.
  3. Fill the dialog:
    • User ID — the user to grant to.
    • Role — pick from admin, owner, manager, mediabuyer, finance, viewer.
    • Scope type — organization, workspace, legal entity, or team.
    • Scope ID — the ID of the specific scope.
  4. Confirm. Backend calls POST /api/v1/rbac/permissions. You must hold admin-level access at the target scope for the grant to succeed.

Revoke a grant

  1. Find the grant in the list.
  2. Click the trash icon and confirm.
  3. The grant is soft-deleted. Backend calls DELETE /api/v1/rbac/permissions/:id.

How grants relate to base roles

A user's effective access is the combination of their base role and any explicit grants. Grants are the mechanism for scoped roles — different roles on different workspaces or teams — whereas a base role applies broadly. For the day-to-day flow of setting a member's role, see assign roles; for the full role model, see roles and permissions overview.

Roles and access

  • Listing, granting, and revoking all require super_admin, admin, or owner.
  • The backend additionally checks you have admin-level access at the requested scope — you can only grant within scopes you administer (super_admin acts globally).
  • Grants are soft-deleted on revoke, so history is preserved.

FAQ

How do I give someone a role on just one workspace?

Open Settings → RBAC → Permissions as a super_admin, admin, or owner and click Grant permission. Enter the user's ID, pick the role, set the scope type to workspace, and provide that workspace's scope ID. Wevion creates a scoped grant via POST /api/v1/rbac/permissions, giving the user that role only on the chosen workspace. You must administer the target scope for the grant to succeed.

What scopes can I grant a role on?

Wevion supports four scope types for permission grants: organization, workspace, legal entity, and team. Each grant pairs a role (admin, owner, manager, mediabuyer, finance, or viewer) with a specific scope ID, so the same user can hold different roles on different scopes. The backend requires you to have admin-level access at the target scope before it accepts the grant.

How do I revoke someone's scoped access?

On Settings → RBAC → Permissions, find the grant in the list, click the trash icon, and confirm. Wevion soft-deletes the grant via DELETE /api/v1/rbac/permissions/:id, so the record is preserved for audit while the access is removed. Revoking requires a super_admin, admin, or owner role with administrative access to the grant's scope.

What's the difference between a base role and a permission grant?

A base role applies broadly to a user's account, while a permission grant assigns a role on one specific scope — an organization, workspace, legal entity, or team. Grants let you give someone, for example, manager on one workspace and viewer on another. Effective access combines the base role with any explicit scoped grants; use grants for granular, per-scope access.

Steps

  1. Open Settings → RBAC → Permissions.
  2. Click Grant permission.
  3. Fill the dialog:
  4. Confirm. Backend calls POST /api/v1/rbac/permissions. You must hold admin-level access at the target scope for the grant to succeed.

Last updated: 2026-07-02