Understanding roles and permissions

Every member of a workspace has a role that determines what they can see and do. Estratos uses three roles, each with progressively more permissions. Roles are per workspace — the same person can be an Owner in one workspace and a Basic user in another.

Roles at a glance

Permission Basic user Admin Owner
Read memories Yes Yes Yes
Write memories Yes* Yes Yes
Delete memories Yes* Yes Yes
Export memories Yes Yes Yes
Manage the hierarchy No Yes Yes
Manage members and view the audit log No No Yes
Manage workspace settings No No Yes
Access billing No No Yes
Delete workspace / transfer ownership No No Yes

* A Basic user's writes and deletes go through review: they become proposals that an Admin or the Owner approves before they touch the published graph.

Basic user

Basic users can read, write, delete, and export memories, but their writes and deletes are queued as proposals for review rather than published immediately. They cannot manage the hierarchy, members, or the audit log. This role is the default for new invitations and fits day-to-day contributors.

Admin

Admins can do everything a Basic user can, and their writes publish directly (no review). They also manage the hierarchy and approve Basic users' proposals. Approving a tagged proposal is reserved for the Owner, because tagged memories affect every client. Admins cannot manage members, view the audit log, change workspace settings, or access billing.

Owner

The Owner has full control over the workspace: members and invitations, the audit log, settings (name, logo, timezone), billing and plan changes, and workspace deletion. Every workspace has exactly one Owner.

Roles set the ceiling

A role sets the ceiling of what a member — and any OAuth token they issue — can do. OAuth scopes then narrow what a given token can do: a token can request at most its user's role. Granting members:admin to a Basic user's token, for example, has no effect, because the role does not reach that high.

Changing a member's role

The Owner can change member roles from the Members & invites page. New invitations are always sent as Basic user or Admin — ownership is never granted by invitation.

Transferring ownership is a special action: only the current Owner can promote another member to Owner, and doing so makes the previous Owner an Admin. Since each workspace has exactly one Owner, this is how you hand over a workspace.

Which role should I assign?

  • Basic user — for contributors whose writes should be reviewed before they go live
  • Admin — for trusted team members who publish directly and approve others' work
  • Owner — for the person responsible for the workspace, its members, and its billing

Next steps

Learn about general settings to configure your workspace.