Permissions & Access
Kazinex Workflows uses a layered role-based access control (RBAC) system. Access is determined by combining an organisation role (what the member is in the org) and a project role (what they are in this project). Both layers must allow an action for it to proceed.
The two-layer model
Organisation Role → Defines the member's baseline capabilities
+
Project Role → Defines what they can do within a specific project
=
Effective Access → What the member can actually do in that project
A member with org_manager at the organisation level but viewer in a project will have only viewer-level access in that project — the more restrictive layer wins.
Layer 1: Organisation roles
Organisation roles define what a member is across the entire Kazinex organisation. There are four roles:
| Role | Scope |
|---|---|
org_admin | Full control — all projects, all settings, billing |
org_manager | Manage members and projects, all settings except billing |
member | Standard member — access within projects depends on project role |
workflow_responder | External reviewer — respond to assigned steps only |
See Organisation Roles for a full capabilities breakdown.
Layer 2: Project roles
Project roles define what a member can do within a specific project. They are assigned when the member is added to a project:
| Role | Purpose |
|---|---|
project_admin | Full project control |
reviewer | Respond to workflow steps |
initiator | Create documents, start workflows, send correspondence |
viewer | Read-only access |
See Project Roles for a full capabilities breakdown.
Permission actions
14 discrete permission actions control access to specific features. Each action is either granted or denied based on the member's roles. Default assignments are shown in the Permission Actions Matrix.
| Action | What it unlocks |
|---|---|
create_workflow | Start new workflow instances |
manage_templates | Create and edit workflow templates |
upload_documents | Add documents to the register |
manage_documents | Edit document metadata and control fields |
send_correspondence | Compose and send correspondence |
manage_transmittals | Issue and manage transmittals |
manage_review_matrix | Configure review matrix rules |
manage_work_packages | Create and manage work packages |
view_reports | Access the Reports tab |
manage_guest_shares | Create and revoke guest share tokens |
manage_dist_lists | Manage distribution lists |
manage_members | Invite and manage project members |
manage_settings | Access project and org settings |
view_audit_log | Access the audit trail |
Permission overrides
Default permission assignments can be overridden at the organisation level or project level. See Permission Overrides.
In this section
| Guide | What it covers |
|---|---|
| Organisation Roles | org_admin, org_manager, member, workflow_responder |
| Project Roles | project_admin, reviewer, initiator, viewer |
| Permission Actions | All 14 actions defined with examples |
| Permission Overrides | How to customise default assignments |
| Permissions Best Practices | Principle of least privilege and design patterns |
Related
- Permission Actions Matrix — full grid of roles × actions
- Permissions & Roles Admin Guide — governance and maintenance