Roles & Permissions
Vivreal uses a role-based access control (RBAC) system with three roles. Each role builds on the permissions of the one below it, forming a clear hierarchy.
The Three Roles
Owner
The Owner is the person who created the group. Every group has exactly one Owner. They have unrestricted access to all features, including billing, destructive actions, and ownership transfer. Ownership can be transferred to an Admin, but it cannot be shared.
Admin
Admins are trusted team leaders. They can manage content, sites, members, and integrations. They cannot access billing or delete the group. Owners can assign this role.
Member
Members are standard team participants. They can view collections, content, and dashboards. Members cannot manage sites, integrations, or team settings.
Permission Matrix
| Action | Owner | Admin | Member |
|---|---|---|---|
| View content | Y | Y | Y |
| Create/edit objects | Y | Y | -- |
| Create/edit collections | Y | Y | -- |
| Manage sites | Y | Y | -- |
| Manage members | Y | Y | -- |
| Manage integrations | Y | Y | -- |
| View API key / join code | Y | Y | -- |
| View audit logs | Y | Y | -- |
| Billing/subscription | Y | -- | -- |
| Delete group | Y | -- | -- |
How Roles Are Assigned
Roles are assigned at two points:
- When a member joins — the person who sends the invite selects the initial role. Members who join via a join code are assigned the Member role by default.
- After joining — Owners and Admins can change any member's role (except the Owner's) from the Members section on the Group page.
Role Assignment Rules
- Only Owners and Admins can assign or change roles.
- An Admin cannot promote another member to Owner — only the current Owner can transfer ownership.
- An Admin cannot demote another Admin. Only the Owner can change an Admin's role.
- The Owner role cannot be assigned through the normal role selector. Use the dedicated Transfer Ownership action instead.
Practical Examples
Small team (3 people): One Owner who manages everything, two Members who view and contribute content.
Medium team (10 people): One Owner, two Admins (lead developer and content director), seven Members across the team.
Large team (25+ people): One Owner, several Admins for different departments, and Members across the organization.
Permissions and the API
When you interact with Vivreal through the portal, permissions are enforced automatically. The portal hides UI elements you don't have access to and blocks unauthorized actions at the API proxy layer.
Role-based enforcement is also applied on the backend. Even if you bypass the portal UI, the API will reject requests that exceed your role's permissions.
Next Steps
- Managing Members — learn how to invite, remove, and organize your team
- Audit Logs — see what actions your team members have taken