> ## Documentation Index
> Fetch the complete documentation index at: https://docs.speckle.systems/llms.txt
> Use this file to discover all available pages before exploring further.
# Roles and Permissions
> Understand the key concepts for managing permissions
## What are roles and permissions?
Roles and permissions define what people can do in a workspace and in each
project. This page explains both levels and how they work together.
This guide explains Speckle's project roles and workspace roles. The table below gives you a high-level overview of how these combine to determine what users can do.
## Quick role map
* **Workspace role** controls broad workspace access.
* **Project role** controls actions inside a project.
* Workspace admins manage workspace roles in **Team**.
* Project owners manage project roles in **Collaborators**.
In the current web interface, project roles are shown as **Owner**,
**Contributor**, and **Reviewer**. Older docs and APIs may still reference
legacy names (`Project owner`, `Can edit`, `Can view`) and seat types.
| Workspace role |
View & comment |
Publish & load |
Create projects |
Manage workspace |
| Admin |
|
|
|
|
| Member |
|
|
|
|
| Guest |
|
|
|
|
Guests can only view, comment, publish and load in the specific projects they
are invited to.
## Workspace roles
Workspace roles determine a user's default project access and workspace-level permissions, like inviting users and managing security settings. `Admins` can manage workspace roles from Team.
In Team, role management is available through the **Members** and **Guests**
tabs.
* Full ownership of the workspace, including management of members,
projects, and settings. - Is automatically `Owner` of all existing and new
projects in the workspace. - Cannot be removed or have their role changed
within a project. - Can create, manage, and oversee all Speckle Automate
functions within the workspace.
* Can access all projects in the workspace with the `Reviewer` project role,
unless the project is set to `Private`. - Can create and own projects. -
Cannot invite new users to the workspace, but can add existing workspace
users as project collaborators. - Can access and use Speckle Automate to
create private functions (Enterprise plan only).
* Role meant for external collaborators who only need access to select
projects in the workspace. - Can hold the `Contributor` project role. - Can
never create new projects in the workspace. - Can never hold the `Owner`
project role. - Can join a workspace without adhering to any domain policies
or authorizing through SSO. - Cannot access or create private Speckle
Automate functions.
## Project roles
Project roles determine what actions a user can perform within a specific
project. `Admins` and `Owners` can manage roles from the Collaborators tab on
the project page.
* Full ownership of the project, including inviting project collaborators,
managing project roles, and all project settings. - The project creator is
automatically the first `Owner`. - Workspace admins are `Owner` on all
projects in a workspace, including private projects.
* Full contribution access within the project, including creating models and
versions. - Can load and publish models from connected authoring tools.
* Can review models in the web viewer, comment, and collaborate on feedback.
* Cannot publish or load models through connectors.
## Access defaults
Project access defaults control permissions, not billing. Plans are based on the
total number of users in a workspace.
If your workspace still shows legacy `seat` wording in some settings or APIs,
use this mapping:
* Equivalent to `Contributor` project permissions for Members and Guests.
* Equivalent to `Reviewer` project permissions for Members and Guests.
## If a user cannot do an action
Use this checklist:
* Cannot publish or load -> check if project role is **Contributor** or **Owner**.
* Cannot invite users to workspace -> check if workspace role is **Admin**.
* Cannot open a private project -> check project collaborator access in **Collaborators**.
* User has access to workspace but not project -> add the user in that project's **Collaborators** tab.
## FAQ
### Project roles
You can add anyone to a project role if this is allowed by workspace
security settings. If a user is added to a project with the
**Contributor** role, they are granted contributor-level project permissions.
If they are not already a workspace member, they are added as a Guest.
No, roles are set on a member by member basis.
### Workspace roles
A workspace role is a role that determines what actions a user can perform within a workspace.
**Members** are workspace users who are part of your core team. They can access all workspace projects by default (unless a project is set to Private), can create new projects, and are subject to workspace security policies like domain protection and SSO.
**Guests** are external collaborators who only need access to specific projects. They can only access projects they're explicitly invited to, cannot create new projects, and can join the workspace without adhering to domain policies or SSO requirements. This makes Guests ideal for subcontractors, consultants, or clients who need limited access.
Both Members and Guests count toward your workspace's user limit. The distinction is about access scope and security policies, not billing.
You can invite someone to your workspace by clicking the **Invite** button in the top right corner of the workspace page.
You can also set your workspace to allow self-signup by making your workspace **domain discoverable**.
Users with an email domain matching what you have verified to the workspace will be notified your
workspace exists and can request to join. You can also set it up to automatically add them to the workspace without admin approval.
Only admins can invite users to a workspace.
Learn more about [inviting users to a workspace](/workspaces/inviting).
Admins can remove users from the workspace from Workspace Settings -> People. Removing a user from the workspace also removes their access to all projects in that workspace, whether they were a Member or Guest.
Yes, both Members and Guests count toward your workspace's user limit. The limit applies to the total number of users who have access to your workspace, regardless of whether they're internal team members (Members) or external collaborators (Guests). If you need more users than your plan allows, contact us to discuss upgrading to Enterprise, which supports unlimited users.
Use the Guest role when you need to give someone access to only specific projects, such as:
* External consultants or subcontractors who only work on certain projects
* Clients who need to review specific work
* Partners who collaborate on select projects
Use the Member role for your core team who need access to multiple or all workspace projects and should be subject to your workspace's security policies.
You can only log in if you still have access to an email address that is on that account (e.g. a work or educational address). If you have both a personal and a work email on the account, you may still get in with the one you still use. Access to data in a workspace is always in accordance with the permissions set by the workspace organisation (e.g. whether they have kept you as a member). If you no longer have any of those emails, you cannot log in or recover that account; create a new account with a current, supported email. Workspaces belong to the organisation; if you need access to data and no longer have it, contact your prior employer.