Skip to main content

Overview

Roles & Permissions is the foundation of Elementum’s security model. Best practice is to assign permissions through roles rather than to individual users. This approach ensures consistent access control, simplifies management across large teams, and keeps role assignments audit-ready for compliance reviews. Elementum supports two permission scopes:
  • Organization-level — Grants access across all apps the user can reach. Use for administrative oversight roles such as IT administrators or compliance officers.
  • App-level — Grants access only to a specific app, element, or task and its related features. Use for department-specific or project-scoped roles.
Organization-level permissions cascade down to all accessible apps. Assign org-level roles carefully and primarily for administrative oversight.

Managed Roles

Elementum provides predefined managed roles with standard permission sets. Managed roles have fixed permissions that cannot be modified, but you can add or remove users and groups.
  • App Admin — Full administrative access to all features and settings within an app.
  • Content Editor — Can create and manage content but cannot change app settings.
  • Content Viewer — Read-only access to content and basic features.
Start with managed roles when they fit your needs before creating custom alternatives.

Custom Roles

Custom roles let you define any combination of permissions to match your organization’s specific workflows.

Create a Custom Role

  1. Open Settings icon Org Settings.
  2. Click Roles & Permissions.
  3. Click Create Custom Role, enter a descriptive Role Name, and add a Description explaining the role’s purpose.
  4. Select the Users and Groups who should have this role. Optionally configure Auto Share Options (see below).
  5. Set permissions for each resource type — Records, Automations, Agents, AI Providers, Analytics, Apps, and more.
Custom roles can also be created directly in your app. Click Roles & Permissions under the Security section of an app menu.

Auto Share Options

Configure roles to be automatically assigned when users interact with records. Available triggers:
  • When user is added as a watcher — Automatically assigns the role when someone watches a record
  • When user is assigned to a record — Assigns when a user becomes the record assignee
  • When user is @mentioned — Assigns when a user is mentioned in comments
  • When a record is shared with a user — Assigns when records are explicitly shared

Permission Types

  • Create Records — Allow creating new records
  • Read Records — Allow viewing records (respects Data Access policies)
  • Update Records — Allow editing existing records
  • Delete Records — Allow removing records
  • Comment on Records — Allow adding comments to records
Users can hold multiple roles simultaneously — permissions are additive across all assigned roles.

User Invite Policy

The User Invite Policy is an organization-level setting that controls which users can invite new people into the organization. Find it in Settings icon Org SettingsGeneral. The policy applies on top of the CREATE_ORGANIZATION_USERS permission. Users must first have this permission, and the policy then further restricts what they can do.
Users with the ADMIN permission always bypass the policy and can invite anyone regardless of the setting.

Policy Options

The most restrictive setting. Only administrators can invite new users.Behavior:
  • Admins: Can invite any user (any email domain)
  • Non-admins: Cannot invite anyone, even if they have CREATE_ORGANIZATION_USERS permission. Requests are rejected with a validation error.
Use case: Organizations that want centralized control over user provisioning.
The User Invite Policy only affects inviting new users into the organization. Adding existing organization users to resources like customer chat channels is controlled separately by the UPDATE_CONVERSATIONS permission.

Manage Roles

  1. Click Roles & Permissions under Security in your app menu to see all managed and custom roles.
  2. Click Manage Role on any role to add or remove users and groups.
  3. For custom roles, modify permissions and settings as business needs change.
  4. Remove custom roles that are no longer needed. Managed roles cannot be deleted.

Best Practices

Security Principles

  • Principle of least privilege — Grant only the minimum permissions necessary for users to perform their job functions.
  • Separation of duties — Ensure critical functions require multiple roles or approvals.
  • Regular audits — Periodically review role assignments and permissions to confirm they remain appropriate. All role changes are logged in the Activity Log.
  • Descriptive naming — Use clear, descriptive role names that indicate purpose and scope.

Common Security Patterns

Separate roles by function rather than hierarchy. Create roles based on job responsibilities, avoid overly broad permissions, and prefer multiple specific roles over one broad role.
Use custom roles for temporary or project-based access. Create time-limited roles for contractors, remove access when projects complete, and regularly clean up unused roles.
Plan for emergency access scenarios. Designate emergency administrators, document emergency procedures, and test emergency access regularly.