Permissions & roles
Real actor identity + workspace membership. Sensitive actions (publishing, providers, promoted tickers, demo tools, jobs) are enforced server-side by role. Single-operator mode keeps the existing workflow intact until you add a team.
Acting as Owner· single-operator mode (no team yet)
Permissions are enforced on the server for every sensitive action — UI is just clarity. With no members, the lone operator is the owner so nothing breaks. When real auth is wired (AUTH_MODE=proxy_header), an authenticated non-member is denied in production.
No members yet — you are the single operator (owner). Add teammates below to start enforcing roles. Before relying on this in production, set COMMAND_ACTOR_EMAIL to your own email (or wire real auth) so you aren't locked out.
New members start as invited — activate them once their auth identity is connected. Capability preview for Viewer: View command center, View analytics.
No invite emails are sent and no fake users are created — this records a real teammate's role for when auth is connected. The last active owner/admin can't be removed, disabled, or demoted.
| Capability | Owner | Admin | Editor | Analyst | Publisher | Viewer | Automation |
|---|---|---|---|---|---|---|---|
| View command center | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Manage sites | ✓ | ✓ | · | · | · | · | · |
| Manage sources | ✓ | ✓ | ✓ | ✓ | · | · | · |
| Analyze sources | ✓ | ✓ | ✓ | ✓ | · | · | ✓ |
| Create ideas | ✓ | ✓ | ✓ | ✓ | · | · | · |
| Edit articles | ✓ | ✓ | ✓ | · | · | · | · |
| Run AI generation | ✓ | ✓ | ✓ | · | · | · | ✓ |
| Run compliance | ✓ | ✓ | ✓ | · | · | · | ✓ |
| Run scores | ✓ | ✓ | ✓ | ✓ | · | · | ✓ |
| Edit newsletters | ✓ | ✓ | ✓ | · | · | · | · |
| Edit tickers | ✓ | ✓ | ✓ | ✓ | · | · | · |
| Manage promoted tickers | ✓ | ✓ | · | · | · | · | · |
| Manage campaigns | ✓ | ✓ | ✓ | · | · | · | · |
| View internal notes | ✓ | ✓ | ✓ | ✓ | ✓ | · | · |
| Edit internal notes | ✓ | ✓ | ✓ | · | · | · | · |
| Manage disclosures | ✓ | ✓ | ✓ | · | ✓ | · | · |
| Publish content | ✓ | ✓ | · | · | ✓ | · | · |
| Prepare publish jobs | ✓ | ✓ | ✓ | · | ✓ | · | ✓ |
| Run publish jobs | ✓ | ✓ | · | · | ✓ | · | ✓ |
| Manage provider channels | ✓ | ✓ | · | · | · | · | · |
| Test provider channels | ✓ | ✓ | · | · | ✓ | · | · |
| Manage widgets | ✓ | ✓ | ✓ | · | ✓ | · | · |
| Publish widgets | ✓ | ✓ | · | · | ✓ | · | · |
| View analytics | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | · |
| Import analytics | ✓ | ✓ | · | ✓ | · | · | ✓ |
| Manage mapping rules | ✓ | ✓ | · | ✓ | · | · | · |
| Manage jobs | ✓ | ✓ | · | · | · | · | · |
| Run jobs | ✓ | ✓ | · | · | ✓ | · | ✓ |
| Resolve alerts | ✓ | ✓ | · | · | ✓ | · | · |
| Seed demo data | ✓ | ✓ | · | · | · | · | · |
| Remove demo data | ✓ | ✓ | · | · | · | · | · |
| Manage users | ✓ | ✓ | · | · | · | · | · |
| Manage assets | ✓ | ✓ | ✓ | · | · | · | · |
No matching activity.
Audit entries carry actor identity + source but never secrets.