Roles & permissions
Four workspace roles, plus organization-level roles on enterprise plans. Each role grants a fixed set of permissions; you can't customise individual permissions on the standard plans.
๐ธ Screenshot needed:
workspaces__roles-table.png, Members tab in workspace settings showing a list of members with their roles, a role dropdown open on one row showing Admin / Editor / Viewer / Owner.
The four workspace roles
Owner
Full control. There must always be at least one owner; the workspace creator is the initial owner.
Admin
Almost-full control. Manages members, credentials, workflows, settings, but can't transfer ownership or delete the workspace.
Editor
Builds and runs workflows. Sees credentials but can't add/edit/delete them. Can't change workspace settings or invite members.
Viewer
Read-only. Can see workflows and executions but can't edit, run, or trigger anything. Useful for stakeholders and auditors.
Permission matrix
| Action | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|
| View workflows | โ | โ | โ | โ |
| Run workflow (manual) | โ (unless workflow allows viewers to run) | โ | โ | โ |
| Create / edit workflow | โ | โ | โ | โ |
| Delete workflow | โ | only own workflows | โ | โ |
Change workflow status (draft โ active) |
โ | โ | โ | โ |
| View executions | โ | โ | โ | โ |
| Cancel / replay execution | โ | โ | โ | โ |
| View credentials (workspace scope) | โ (metadata only) | โ | โ | โ |
| Add / edit / rotate / revoke credentials | โ | โ | โ | โ |
| Invite member | โ | โ | โ | โ |
| Change member role | โ | โ | โ | โ |
| Remove member | โ | โ | โ | โ |
| Workspace settings | โ | โ | โ | โ |
| Approve / reject approvals you're listed for | โ | โ | โ | โ |
| Archive / unarchive workspace | โ | โ | โ | โ |
| Delete workspace | โ | โ | โ | โ |
| Transfer ownership | โ | โ | โ | โ |
| Manage API keys | โ | โ | โ | โ |
| View audit log | โ | โ | โ | โ |
Special permissions
"Viewers can run"
A workflow-level toggle (Workflow settings โ Permissions) lets viewers run a specific workflow manually. Useful for "executive dashboard refresh" workflows you want anyone to be able to kick off without granting broader edit access.
Per-workflow sharing
Workflows can also be shared with specific users outside the role system, Workflow settings โ Share with โ Add user โ choose access level (View / Run / Edit). Granular but takes maintenance.
Organization-level roles (enterprise)
On enterprise plans, three more roles above the workspace level:
- Organization owner, full control across every workspace.
- Organization admin, manage all workspaces, members, billing.
- Organization billing-only, billing + usage views, no workspace access.
Org roles supersede workspace roles. An organization admin is effectively a workspace admin in every workspace, whether or not they're a member.
Tips & gotchas
- Default invite role is settable per workspace. Pick Viewer for the safe default, promote upon need.
- Removing a member does not auto-transfer their workflows or credentials. Re-assign before removing.
- Role changes are audited. The audit log records who promoted/demoted whom.
- There's no "guest" role. For external users who shouldn't have full access, use public approval links for approvals, or sharing-with-specific-users for one-off workflow visibility.
- API keys have their own scopes, independent of human roles. A workspace Editor can't necessarily generate an API key that does more than what an Editor can do, admins gate key creation.
Related
Found something out of date? This page lives in the Flero docs content set.