Cakewalk Roles & Permissions

Cakewalk uses a role-based model permission model reflecting organizational hierarchy. Every user has one designated role with potential inherited roles for additional permissions.

🗂️ Role Model Overview

Designated roles: the user's primary role
- User: bottom of the hierarchy.
- Admin: platform-level administrator.
- General Manager: top of the hierarchy, requests skip manager approval.
Inherited roles: layered on top of a designated role
- Manager: receives and acts on requests from their reports, manages their accesses and can offboard them.
- App Owner: manages a specific app’s access and reviews.

📖 Role Definitions

Designated Roles

Every user has exactly one of these roles. This sets their primary permissions across the entire platform.

User

Bottom of the organizational hierarchy.
Can submit access requests but can only approve or decline them when assigned by a custom policy.
User requests require approval from their direct Manager by default, unless a custom policy is in place.
May be designated as an App Owner for specific apps but retains the base User role elsewhere.

Admin

Responsible for managing the Cakewalk application itself within the organization.
Can delete the account, configure integrations, manage user groups, define policies, create custom layouts, set up auto-provisioning.
Platform-wide rights that sit above App Ownership.

General Manager

Top of the organizational hierarchy.
Only user type without a Manager assigned.
Any manager-approval steps in a request flow will be auto-approved.
Has full viewing rights and maximum permission to carry out actions.

Inherited Roles

Users can have zero, one or both of these in addition to their designated role. These add capabilities in specific contexts (team or app) but do not change base platform rights.

Manager

Users who have at least one user assigned as their direct report to them.
Primary responsibility is to approve requests submitted to them by their assigned users.
In addition, Managers can:
- Submit access requests on behalf of their reports
- Initiate offboardings of their reports
- Be assigned access reviews

App Owner

App Owner status is set on a per-app basis by an Admin. It gives app-level rights only.
A user (User, Manager, or Admin) who is the admin of at least one application.
Grants or revokes other users' access to the apps they own, reviews permissions, completes access reviews and manages app-specific metadata.
Does not grant platform-wide permissions but only only app-specific.

🧾 Permissions Matrix

Inherited roles should be read as additive - e.g. a User who is also an App Owner retains all User permissions plus the App Owner permissions for the apps they own.

Capability

User

Manager

App Owner

Admin

General Manager

Submit Requests

✅

✅ (skip manager approval)

Approve Requests

⚖️ (unless assigned in policy)

✅ (only for direct reports)

✅ (only for own apps)

✅ (any)

Onboard User

❌

✅

Offboard User

❌

✅ (only direct reports)

❌

✅ (any)

Edit User

❌

✅ (only direct reports)

❌

✅

Manage User Groups

❌

✅

Edit App (App Metadata, App Owners, etc.)

❌

✅ (only own apps)

✅ (any)

Manage App Access (Add or Remove Users)

❌

✅ (only for direct reports)

✅ (only own apps)

✅ (any)

Create Access Reviews

❌

✅

Complete Access Reviews

❌

✅ (only for direct reports)

✅ (only own apps)

✅ (any)

Use Browser Extension

✅

Integrate HRIS/IdP

❌

✅

Set Up Auto Provisioning

❌

✅ (only own apps)

✅

Create Custom Policies

❌

✅

Create Custom Layouts

❌

✅

Create API Keys and Webhooks

❌

✅

💡Best Practices

Keep App Owner assignments up to date to ensure requests and reviews route correctly.
Use the General Manager role only for true top-level executives.
Use Managers to reflect real reporting lines for approvals.
Designate at least one Cakewalk Admin who is not an App Owner of many apps to maintain separation of duties.

PreviousPolicy, Request and Task Data Model NextAccess Governance Pillars

Last updated 23 days ago

Was this helpful?