# Cakewalk Roles & Permissions ### ๐Ÿ—‚๏ธ **Role Model Overview** * **Designated roles:** the user's primary role * **User:** bottom of the hierarchy. * **Admin:** platform-level administrator. * **General Manager:** top of the hierarchy, requests skip manager approval. * **Inherited roles:** layered on top of a designated role * **Manager:** receives and acts on requests from their reports, manages their accesses and can offboard them. * **App Owner:** manages a specific appโ€™s access and reviews. *** ### ๐Ÿ“– **Role Definitions** #### **Designated Roles** {% hint style="info" %} Every user has exactly one of these roles. This sets their primary permissions across the entire platform. {% endhint %} **User** * Bottom of the organizational hierarchy. * Can submit access requests but can only approve or decline them when assigned by a [custom policy](https://docs.getcakewalk.io/how-to-guides/policies). * User requests require approval from their direct Manager by default, unless a custom policy is in place. * May be designated as an **App Owner** for specific apps but retains the base User role elsewhere. **Admin** * Responsible for managing the Cakewalk application itself within the organization. * Can delete the account, configure integrations, manage user groups, define policies, create custom layouts, set up auto-provisioning. * Platform-wide rights that sit above App Ownership. **General Manager** * Top of the organizational hierarchy. * Only user type without a Manager assigned. * Any manager-approval steps in a request flow will be auto-approved. * Has full viewing rights and maximum permission to carry out actions. #### **Inherited Roles** {% hint style="info" %} Users can have zero, one or both of these in addition to their designated role. These add capabilities in specific contexts (team or app) but do not change base platform rights. {% endhint %} **Manager** * Users who have at least one user assigned as their direct report to them. * Primary responsibility is to approve requests submitted to them by their assigned users. * In addition, Managers can: * Submit access requests on behalf of their reports * Initiate offboardings of their reports * Be assigned access reviews **App Owner** * App Owner status is set on a per-app basis by an Admin. It gives app-level rights only. * A user (User, Manager, or Admin) who is the admin of at least one application. * Grants or revokes other users' access to the apps they own, reviews permissions, completes access reviews and manages app-specific metadata. * Does not grant platform-wide permissions but only only app-specific. *** ### ๐Ÿงพ **Permissions Matrix** {% hint style="info" %} Inherited roles should be read as additive - e.g. a User who is also an App Owner retains all User permissions plus the App Owner permissions for the apps they own. {% endhint %} | Capability | User | Manager | App Owner | Admin | General Manager | | --------------------------------------------- | ------------------------------------ | --------------------------- | --------------------- | ------- | ------------------------- | | **Submit Requests** | โœ… | โœ… | โœ… | โœ… | โœ… (skip manager approval) | | **Approve Requests** | :scales: (unless assigned in policy) | โœ… (only for direct reports) | โœ… (only for own apps) | โœ… (any) | โœ… (any) | | **Onboard User** | โŒ | โŒ | โŒ | โœ… | โœ… | | **Offboard User** | โŒ | โœ… (only direct reports) | โŒ | โœ… (any) | โœ… (any) | | **Edit User** | โŒ | โœ… (only direct reports) | โŒ | โœ… | โœ… | | **Manage User Groups** | โŒ | โŒ | โŒ | โœ… | โœ… | | **Edit App (App Metadata, App Owners, etc.)** | โŒ | โŒ | โœ… (only own apps) | โœ… (any) | โœ… (any) | | **Manage App Access (Add or Remove Users)** | โŒ | โœ… (only for direct reports) | โœ… (only own apps) | โœ… (any) | โœ… (any) | | **Create Access Reviews** | โŒ | โŒ | โŒ | โœ… | โœ… | | **Complete Access Reviews** | โŒ | โœ… (only for direct reports) | โœ… (only own apps) | โœ… (any) | โœ… (any) | | **Use Browser Extension** | โœ… | โœ… | โœ… | โœ… | โœ… | | **Integrate HRIS/IdP** | โŒ | โŒ | โŒ | โœ… | โœ… | | **Set Up Auto Provisioning** | โŒ | โŒ | โœ… (only own apps) | โœ… | โœ… | | **Create Custom Policies** | โŒ | โŒ | โŒ | โœ… | โœ… | | **Create Custom Layouts** | โŒ | โŒ | โŒ | โœ… | โœ… | | **Create API Keys and Webhooks** | โŒ | โŒ | โŒ | โœ… | โœ… | *** ### ๐Ÿ’ก**Best Practices** * Keep App Owner assignments up to date to ensure requests and reviews route correctly. * Use the General Manager role only for true top-level executives. * Use Managers to reflect real reporting lines for approvals. * Designate at least one Cakewalk Admin who is not an App Owner of many apps to maintain separation of duties.