Workspace Roles & Permissions
Overview
CADENSA uses a role-based access control (RBAC) system to manage permissions within workspaces. Each team member is assigned a role that determines what they can view, create, edit, and delete.
Default Roles
CADENSA provides four default roles with increasing levels of access:
Viewer
Purpose: Read-only access for stakeholders who need visibility but not interaction.
Typical users:
- Clients who want to monitor progress
- Executives reviewing reports
- External auditors
- Observers
Key capabilities:
- View projects and tasks
- View team members
- View reports
- View workspace settings (but cannot edit)
Cannot:
- Track time
- Create or edit anything
- Invite members
- Change settings
Member
Purpose: Standard team member who tracks time and manages their own work.
Typical users:
- Developers
- Designers
- Freelancers
- Individual contributors
Key capabilities:
- Everything a Viewer can do, plus:
- Track time (start/stop timer)
- Create manual time entries
- Edit own time entries
- Delete own time entries
- View own reports
- Comment on tasks
Cannot:
- Edit others' time entries
- Create projects or tasks
- Invite or remove members
- Change workspace settings
- Approve time entries
Manager
Purpose: Team lead or project manager who oversees projects and team members.
Typical users:
- Project managers
- Team leads
- Department heads
- Account managers
Key capabilities:
- Everything a Member can do, plus:
- Create projects and tasks
- Edit projects and tasks
- Edit any team member's time entries
- Delete time entries
- Invite new members
- Remove members (except Owner)
- Change member roles (except Owner)
- Approve time entries (ENTERPRISE)
- Generate advanced reports
- Export data
Cannot:
- Delete projects
- Change workspace settings
- Delete workspace
- Transfer ownership
- Access billing settings
Owner
Purpose: Full administrative control over the workspace.
Typical users:
- Business owner
- Workspace creator
- Administrator
Key capabilities:
- Everything a Manager can do, plus:
- Change workspace settings
- Delete workspace
- Transfer ownership
- Manage billing settings
- Access audit logs (ENTERPRISE)
- Configure API access (ENTERPRISE)
- Set up SSO (ENTERPRISE) (Coming Soon)
Restrictions:
- Only one Owner per workspace
- Owner cannot be removed (must transfer ownership first)
- Owner role cannot be changed without transfer
Complete Permission Matrix
| Permission | Viewer | Member | Manager | Owner |
|---|---|---|---|---|
| Projects & Tasks | ||||
| View projects |  | | | |
| Create projects |  | | | |
| Edit projects | | | | |
| Archive projects | | | | |
| Delete projects | | | | |
| Create tasks | | | | |
| Edit tasks | | | | |
| Delete tasks | | | | |
| Assign tasks | | | | |
| Time Tracking | ||||
| View own time entries | | | | |
| View others' time entries | | | | |
| Start/stop timer | | | | |
| Create manual entry | | | | |
| Edit own entries | | | | |
| Edit others' entries | | | | |
| Delete own entries | | | | |
| Delete others' entries | | | | |
| Bulk edit entries (PRO+) | | | | |
| Approve time entries (ENTERPRISE) | | | | |
| Team Management | ||||
| View team members | | | | |
| Invite members | | | | |
| Remove members | | | | |
| Change member roles | | | | |
| Transfer ownership | | | | |
| Reporting | ||||
| View basic reports | | | | |
| View advanced reports (PRO+) | | | | |
| Create custom reports (ENTERPRISE) | | | | |
| Schedule reports (PRO+) | | | | |
| Export data (CSV) | | | | |
| Export data (PDF/Excel) (PRO+) | | | | |
| Rates & Billing | ||||
| View rates | | | | |
| Set project rates | | | | |
| Set user rates | | | | |
| View billing information | | | | |
| Change subscription | | | | |
| Workspace Settings | ||||
| View workspace settings | | | | |
| Edit workspace settings | | | | |
| Delete workspace | | | | |
| Access audit logs (ENTERPRISE) | | | | |
| Configure API (ENTERPRISE) | | | | |
| Set up SSO (ENTERPRISE) | | | | |
Role Assignment
During Invitation
When inviting a new member, you select their role:
- Click "Invite Member"
- Enter email address
- Select role: Viewer, Member, Manager, or Owner
- Send invitation
See Inviting Members for details.
Changing Roles
Who can change roles:
- Owner can change any role
- Manager can change Viewer/Member roles (not Manager or Owner)
How to change:
- Navigate to Team → Active Members
- Find the member
- Click role dropdown
- Select new role
- Confirm change
Immediate effect:
- Permissions update instantly
- Member is notified via email
- Audit log entry created (ENTERPRISE)
Ownership Transfer
When to Transfer
- Business owner changes
- Workspace handed off to client
- Organizational restructuring
- Original owner leaving company
Transfer Process
Required: Current Owner permissions
Steps:
- Navigate to Team → Active Members
- Find the new owner candidate
- Click "Transfer Ownership" button
- Confirmation dialog with warnings
- Enter your password to confirm
- Click "Transfer Ownership"
What happens:
- New member becomes Owner
- Your role becomes Manager
- Immediate effect (no delay)
- Both parties notified via email
- Irreversible (new Owner must transfer back)
Ownership transfer is immediate and cannot be undone. Only the new Owner can transfer ownership back to you.
Custom Roles (ENTERPRISE)
Custom role create, edit, and delete is an Enterprise-only feature. This is the industry standard — Clockify, Toggl Track, and similar tools also restrict custom role management to their top tier.
On FREE and PRO plans, the four default roles (Viewer, Member, Manager, Owner) are available and cannot be modified.
ENTERPRISE tier allows creating custom roles with fully granular permissions.
Accessing Custom Roles
- Navigate to Settings → Roles & Permissions
- The "New Role" button is visible to Owner and users with the
users.roles.managepermission - Non-Enterprise workspaces see an upgrade prompt in place of the button
Creating Custom Roles
- Navigate to Settings → Roles & Permissions
- Click "New Role"
- Enter role name (e.g., "Billing Manager", "Client Viewer")
- Select specific permissions from the permission matrix
- Save custom role
Billing Manager
Permissions:
View all time entries
Edit rates
Generate invoices
Export billing reports
Edit projects
Invite members
Client Viewer
Permissions:
View assigned projects only
View reports for assigned projects
Download reports (PDF)
View other projects
Track time
View team members
Read-Only Manager
Permissions:
View all projects
View all time entries
Generate reports
Export data
Edit anything
Invite members
Permission Scenarios
Scenario 1: Freelancer with Client Access
Setup:
- You (Owner) manage the workspace
- Client needs visibility into progress
- Client should NOT see rates or billing
Solution:
- Create custom "Client Viewer" role (ENTERPRISE), OR
- Assign "Viewer" role and restrict access to specific projects
Permissions:
- View assigned projects:
- View time logs:
- View reports:
- View rates:
- View billing:
Scenario 2: Agency with Multiple Project Managers
Setup:
- Agency Owner manages overall workspace
- 3 Project Managers each handle different clients
- Team members work across projects
Solution:
- Owner: Agency owner
- Managers: 3 project managers
- Members: Developers, designers, etc.
Permissions:
- Owner: Full control, billing, all clients
- Managers: Manage their projects, invite members, approve time
- Members: Track time, view own projects
Scenario 3: Enterprise with Department Leads
Setup:
- Large organization with multiple departments
- Department leads manage their teams
- HR needs read-only access to all data
Solution:
- Owner: IT Administrator
- Custom Role "Department Lead": Manage own department only
- Custom Role "HR Viewer": View all time entries (no edit)
- Members: Department employees
Permissions:
- Department Lead: Manage team, approve time, view reports (department only)
- HR Viewer: View all time entries, export data (no edit)
- Members: Track time, view own data
Role Best Practices
Do's
- Assign minimum necessary permissions - Principle of least privilege
- Review roles regularly - Remove or downgrade when responsibilities change
- Use custom roles for specific needs (ENTERPRISE) - More granular control
- Document role assignments - Keep track of who has what access
- Onboard members with role explanation - Help them understand their permissions
Don'ts
- Don't give everyone Manager role - Reduces accountability
- Don't assign Owner role unnecessarily - Only one person should have full control
- Don't ignore permission requests - Evaluate and adjust as needed
- Don't forget to remove access - When members leave or change roles
- Don't use same role for everyone - Differentiate based on actual needs
Security Considerations
Viewer Role
- Risk: Low (read-only)
- Use for: External stakeholders, clients
- Caution: Can see all projects and time entries
Member Role
- Risk: Low-Medium (can only edit own data)
- Use for: Standard team members
- Caution: Can see project rates if configured
Manager Role
- Risk: Medium-High (can edit others' data)
- Use for: Trusted team leads
- Caution: Can delete time entries, invite members
Owner Role
- Risk: Very High (full control)
- Use for: Business owner or senior admin only
- Caution: Can delete workspace, access billing, transfer ownership
Audit Logs (ENTERPRISE)
Track all role changes and permission-related actions.
Logged events:
- Role assignments
- Role changes
- Ownership transfers
- Permission grants/revokes (custom roles)
- Member invitations
- Member removals
Access logs:
- Navigate to Settings → Audit Logs
- Filter by "Role Changes"
- Export logs for compliance
Troubleshooting
Cannot perform action (permission denied)
Problem: User tries to do something their role doesn't allow.
Solutions:
- Check role in Team → Active Members
- Request role change from Owner/Manager
- Refer to permission matrix above
Cannot change someone's role
Problem: Role dropdown is disabled or greyed out.
Reasons:
- You're trying to change Owner role (must transfer ownership)
- You're a Manager trying to change another Manager
- You don't have Manager or Owner role yourself
Solution: Ask Owner to make the change.
Transferred ownership by mistake
Problem: Accidentally transferred ownership to wrong person.
Solution: Ask the new Owner to transfer it back. Only the new Owner can do this.
Next Steps
- Creating Projects → - Start managing projects with your team
- Time Tracking → - Learn how members track time
- Reporting → - Generate reports based on permissions
- Settings → - Configure security settings (ENTERPRISE)
Need Help?
- Email: support@cadensa.io
- Community: community.cadensa.io
- FAQ: Permissions FAQ