Role design principles
Good roles are:- Named for job responsibility.
- Easy to explain.
- Narrow enough to review.
- Broad enough to avoid one-off exceptions for every user.
- Reviewed when features, teams, or responsibilities change.
Create or edit a role
Review impact
Pay special attention to permissions that affect users, security, integrations, organization settings, or shared content.
Permission review questions
Ask these questions before granting access:- Does this role need to view the area?
- Does this role need to create or edit content there?
- Does this role need to delete or archive content?
- Does this role need to manage other users?
- Does this role need to configure organization settings?
- Does this role need connected app administration?
- Does this role need Security Center access?
Privileged roles
A privileged role can affect other users, security, organization settings, or connected app behavior. Privileged roles should usually:- Have a named owner.
- Require passkeys if your organization uses that policy.
- Be assigned to a small number of users.
- Be reviewed on a regular cadence.
- Be removed when the user no longer needs the access.
Roles versus Workspace membership
Roles control product capabilities. Workspace membership controls access to a specific Workspace. Example:| Need | Use |
|---|---|
| User can create Workspaces | Role permission. |
| User can access one project Workspace | Workspace membership. |
| User can manage all users | Admin role permission. |
| User can review one CoDraft | Share the CoDraft or Workspace. |
Role maintenance
Review roles when:- A new feature is enabled.
- An admin leaves or changes responsibility.
- A group starts using Sofie differently.
- A passkey policy changes.
- Security review identifies stale access.
- You consolidate duplicate roles.