Roles and permissions
More than you might want to know about user permissions in Count.
Count's permissions model helps teams of different sizes to work flexibly whilst maintaining strong governance over who can access the team's data and analysis.
A user's access is governed by:
- Their workspace role.
- The projects they can access.
- The role they have within each project.
You can view all the users with access to the workspace in the Members tab in Workspace Settings. Please ignore the Billable column - the new pricing model can be found here.
There are four types of workspace roles in Count. These roles dictate which workspace actions users are able to preform. These workspace actions include:
- Managing workspace billing
- Managing workspace settings
- Inviting new members and managing workspace user permissions
- Creating new data connections
- Creating new projects
Below is a summary of the workspace roles and their workspace permissions:
Workspace Role | Manage billing | Manage workspace settings | Invite members to workspace | Manage member permissions | Create data connections | Create projects | Possible project roles |
Owners | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | Admin Only |
Admins | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | Admin, Editor, or Viewer |
Members | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Editor, or Viewer |
Guests | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | Viewer Only |
Owners have full control of the workspace including who can access the workspace and billing. They automatically have access to every connection and project within the workspace and always have Admin privileges in each.
By default the person who creates the workspace becomes an owner automatically, but they can make other users Owners later. Owners are always billable.
Specifically Owners can:
- Access and change all workspace settings
- Create, edit and delete all database connections in the workspace.
- Have Admin roles in all workspace projects automatically.
- Create projects.
- Invite users to the workspace and change their workspace role between Guests, Members, Admins and Owners.
Owners cannot:
- Change their own workspace role.
- Leave a workspace if they are the only Owner.
Admins control how data is accessed within the workspace. They manage all database connections within the workspace and build and manage projects. Admins are always billable regardless of their project roles.
Admins can:
- Create, edit and delete all database connections in the workspace.
- Create projects.
- Be given Admin, Editor or Viewer roles within any project they have joined.
- Be able to view canvases that have been shared with them from a project they can't see.
- See the Settings tab in workspace settings.
- Invite users to the workspace and change their workspace role between Guests, Members and Admins.
Admins cannot:
- See every project in the workspace by default (they have to be invited).
- Change settings in the Settings tab in workspace settings.
- See the Billing tab in workspace settings.
- Change their own workspace role.
The Member role gives users general access to the workspace and means they can be given access to projects and documents that have been shared with the whole workspace.
Members can:
- Be invited to any project within the workspace.
- Be given Editor or Viewer roles within any project they have joined.
- View the list of members in the workspace.
- Be able to view documents that have been shared with them from a project they can't see.
Members cannot:
- See or edit any database connections.
- Be given Admin access to any project.
- See the Settings and Billing tabs in workspace settings.
Guests are users who have not been invited to join the workspace but have been given access to specific canvases and projects within the workspace. Guests can only have a Project Viewer role and therefore are not billable in the workspace. Guests have to create their own Count account to access the documents and projects that have been shared with them.
Specifically, Guests can:
- Have a viewer role on any project they have been invited to.
- Be able to view documents that have been shared with them from a project they can't see.
Guests cannot:
- See any workspace settings.
- See any database connections.
- Be invited to projects or documents via the "Members of workspace" permission.
Within each project, there are three roles available. These roles dictate which project-level actions users can perform, including:
- Invite others to the project
- Manage user permissions in the project
- Add and manage the data for the project
- Create and edit documents
- Manage project settings
Below is a summary of the workspace roles and their project permissions:
Project Role | Manage project data | Manage project settings | Manage project user permissions | Invite others to project | Create and edit notbeooks | View code of created canvases | Edit control cells in canvases | Download data from canvases |
Admins | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Editors | ❌ | ❌ | ❌ | Depends on project settings | ✅ | ✅ | ✅ | ✅ |
Viewers | ❌ | ❌ | ❌ | Depends on project settings | ❌ | ❌ | ✅ | ✅ |
Admins have full control of the project. They manage access to the project and its documents and can define what database tables can be used within the project from the project's parent connection. Only Workspace Admins and Owners can be Project Admins.
Admins can do the same actions as Editors plus some additional permissions:
- Invite and remove users from the project.
- Change user's permissions between admin, editor and viewer.
- Manage what data tables the project can see from the parent database connection.
- Change the project's title and description.
- Delete the project.
- Control whether (non-admin) project members can share the project and its documents with other members.
Admins are unable to:
- Change their own project role.
Editors are able to operate fully within the scope of the project - creating, editing and publishing canvases as they wish.
Editors can perform the same actions as Viewers plus:
- Create, view, publish and delete documents in the project.
- Fork and merge documents.
- Restore deleted documents.
- View and query the data tables within the project.
- View and restore previous document versions.
Editors are unable to:
- Add or remove tables from the project.
- Remove users from the project or a document, nor change their permissions.
Viewers can:
- View documents that have been shared with them in view-only mode.
- View all members of the project.
- Share documents outside the project or invite new users to the project as Viewers (if allowed by the project's settings).
- Leave the project.
Viewers are unable to:
- See any data tables within the project.
- Create their own documents or create queries.
- Remove users from the project or a document, nor change their permissions.
- See past versions of a document.
The table below summarises which project roles users can be given based on their workspace role.
Workspace role | Can be project admin? | Can be project editor? | Can be project viewer? | Can be given access to a document without being a member of the project? |
Owner | Always | N/A | N/A | N/A |
Admin | Yes | Yes | Yes | Yes |
Member | No | Yes | Yes | Yes |
Guest | No | No | Yes | Yes |
Note: If a user has been assigned two conflicting project roles then the most permissive permission wins.
For example, if a user has been explicitly given a viewer role to a project but in addition the project has given edit access to the project for the whole workspace, then the user will have edit access.
For each canvas, you can decide with whom and how you want to share.