Roles & Permissions

CraftDesk uses a three-tier role system to control access and permissions. Assign the right role to each team member to balance security with productivity.

The Three Roles

Owner

Owners have unrestricted access to everything in the workspace. Only owners can:

• Manage billing and subscriptions
• Upgrade or downgrade plans
• Change and cancel subscriptions
• View billing history and invoices
• Transfer workspace ownership
• Permanently delete projects
• Modify workspace-level security settings

Who should be Owner?

• Workspace creator (automatically assigned)
• Decision-maker responsible for billing and contracts
• Usually 1-2 people per workspace

Important: Restrict Owner role to people who truly need it. Most operations can be accomplished with Admin role.

Admin

Admins can manage operations but cannot access billing. Admins can:

• Create and delete projects
• Invite and remove team members
• Change member roles (except Owner)
• Modify workspace settings
• Access all projects and data
• Create and manage API keys
• Configure webhooks and integrations

Who should be Admin?

• Project managers
• Team leads
• Senior engineers responsible for operational oversight
• Typically 2-5 people per workspace

Member

Members can view and work on projects. Members can:

• View assigned projects
• Create and update tasks
• Comment and collaborate on tasks
• Update their own profile
• View team member directory
• Cannot invite other members
• Cannot modify settings or access billing

Who should be Member?

• All individual contributors
• Contractors and consultants
• External stakeholders with limited involvement

Permission Matrix

Here's exactly what each role can do:

Changing Member Roles

Only Owners can change member roles. To change someone's role:

1. Go to Settings → Team
2. Find the member in the list
3. Click the role selector
4. Choose the new role
5. Changes take effect immediately

Transferring Workspace Ownership

If you need to transfer ownership to someone else:

1. Go to Settings → Team
2. Find the member you want to promote
3. Click their role selector
4. Choose Owner
5. You will be demoted to Admin

Warning: Transferring ownership is permanent. The new owner has complete control including billing. Only do this with trusted individuals.

Project-Level Permissions

Currently, CraftDesk enforces permissions at the workspace level. All members have the same level of access to all projects within the workspace. Future versions may include project-level permissions.

API Access Control

API keys created by Owners or Admins inherit the creator's permissions. An API key operates with the same access level as the person who created it.

• Owner-created keys: Full workspace access
• Admin-created keys: Full workspace access

Restrict key distribution to only those who need programmatic access.

Security Best Practices

Principle of Least Privilege — Assign only the minimum role necessary for someone to do their job.

Limit Owners — Keep the Owner role to 1-2 people maximum.

Audit Regularly — Review team member list and roles quarterly. Remove inactive members.

Rotate Admin Role — If someone leaves the company, immediately remove their Admin access.

Secure API Keys — Treat API keys like passwords. Rotate them periodically and never share in plain text.

What's Next

• Inviting Members — Add people to your workspace
• Managing Your Team — Update and remove members
• API Overview — Learn about programmatic access