Roles & permissions
Who can do what — the workspace role model and the special access controls.
Every member of a workspace has a role that controls what they can see and change. A few sensitive areas have their own access controls on top of roles.
Workspace roles
| Role | What they can do |
|---|---|
| Owner | Everything, including billing, budgets, and transferring or deleting the workspace |
| Admin | Full control except ownership and billing |
| Manager | Manage the team, goals, and projects, within granted permissions |
| Member | Work on the projects, issues, and goals they're part of |
There is also a system-level Superadmin role used to administer Aztra across workspaces — not something most users will encounter.
Manager permissions
Managers get a granular set of permissions rather than blanket access. Admins decide which projects and capabilities each manager can reach, under Settings → Manager Permissions.
Start people with the lowest role that lets them do their job, then promote as needed. You can change anyone's role from Settings → Members.
Special access controls
Some areas are gated independently of roles:
- Budget & costing — managing budgets requires explicit budget access, which only an owner can grant. Costing data (salaries, rates, shared-account costs) is owner-controlled.
- Approval configuration — setting up approval groups, templates, and per-project rules requires approval-config access.
Only owners can grant budget access, manage billing, and transfer or delete the workspace. Choose your owner carefully.
Related
- Workspace settings — where each of these is configured.
- Approvals — the approval workflow these permissions gate.