Skip to main content

Role Based Permissions

Epsilon3’s Role Based Permissions system manages user access through customizable roles, enabling precise control of permissions at both the workspace and project levels.

Updated yesterday

Role Based Permissions

Epsilon3 uses a Role Based Permissions model to determine what users can see and do within a workspace and its projects. This model enhances the current permissions structure with a more robust and flexible approach.

Under Role Based Permissions, all access is granted through roles. Users do not receive permissions directly. Instead, one or more roles are assigned to a user, and each role explicitly defines the permissions that role provides.

Because roles directly control operational capability, correct configuration is critical.

How Role Based Permissions Work

Permissions in Epsilon3 are built on three foundational principles:

  1. Roles are explicit
    Permissions are never implied. If a permission is not granted through a role, the user does not have it.

  2. Permissions are additive
    When a user has multiple roles, the permissions from ALL assigned roles are combined.

  3. Workspace and project permissions are evaluated separately
    Roles applied at the workspace level and roles applied at the project level do not mix or inherit from one another.

Understanding these principles is essential before configuring roles.

Roles

A role is a reusable collection of permissions. Roles are defined once and can be assigned to any number of users.

Each role may include permissions from any of the following categories:

  • View

  • Operate

  • Edit

  • Admin

These categories are purely organizational. Higher categories do not include or inherit lower categories.

For example, a role with Edit permissions does not automatically allow viewing the edited content. View permissions must be explicitly granted through the same role or an additional role.

Permission categories are independent.

Granting permissions in one category does not grant permissions in another category, even if the category appears “higher” in the UI.

This design is intentional and prevents accidental over-permissioning. It also allows roles to be narrowly tailored to operational needs.

As a result:

  • A role may include all Edit permissions and zero View permissions

  • A role may include Admin permissions without Operate permissions

  • A role may include only a single permission from any category

Every permission must be granted deliberately.

Creating Roles

Roles are created from Settings > Roles.

When creating a role, you define:

  • A short role code used internally

  • A role name displayed in the UI

  • The exact permissions included in the role

Roles are fully customizable. There is no fixed limit to the number of roles in a workspace.

Within each permission category, you may either select all permissions in that category or enable individual permissions selectively. Selecting all permissions in a category does not affect any other category.

Once created, roles can be edited at any time. Changes take effect immediately for all users assigned that role.

Editing Existing Roles

Roles can be modified at any time from Settings > Roles by selecting the role code.

Any change to a role immediately affects all users assigned that role, regardless of whether the role is applied at the workspace or project level.

For this reason, roles should be treated as shared infrastructure rather than user-specific configuration.

Additive Role Behavior

Users can be assigned multiple roles simultaneously.

When multiple roles are assigned, the user receives the union of all permissions granted by those roles.

There is no precedence or conflict resolution between roles. If ANY role grants a permission, the user has that permission.

This role based permissions model does not support permission denial. Permissions can only be granted or omitted.

Workspace Roles vs Project Roles

Workspace roles define what a user can do across the workspace by default.

Workspace roles are assigned from Settings > Users and apply to projects only when the user is added to the project and no project-level roles are explicitly assigned.

When one or more roles are assigned at the project level, workspace roles are not evaluated for that project.

Under the previous permissions model, restricting a user’s access to specific projects required limiting their workspace-level permissions. Workspace permissions could only be elevated at the project level, not reduced, which meant users with no workspace access but elevated project permissions were still unable to see certain workspace-level features, such as Snippets. This behavior was relied upon to prevent users from discovering or accessing projects they should not see.

With the introduction of Role Based Permissions, this restriction is no longer necessary. Projects are now explicitly opt-in, and users have no access to a project unless they are added to it. As a result, workspace permissions no longer need to be constrained to limit project visibility.

Users may now have full administrative permissions at the workspace level while remaining completely restricted from specific projects they are not assigned to. Workspace access and project access are evaluated independently, allowing permissions to be granted based on responsibility rather than visibility constraints.

Workspace Roles

Workspace roles are assigned from Settings > Users. From this page, administrators can select one or more users and apply one or more roles. Multiple roles may be assigned to the same user, and the permissions granted by those roles are combined.

Select one or more users on the left, click Edit Workspace Roles, and use the drop down menu to apply one or more roles to the selected users.

Workspace role assignments take effect immediately. Changes to assigned roles update the user’s effective permissions as soon as they are saved.

Because roles are reusable and additive, workspace access is typically granted by assigning a small number of well-defined roles rather than creating user-specific configurations.

Project Roles

Project roles define what a user can do within a specific project or subproject.

A user must be explicitly added to a project to have any project-level access.

Project roles can be assigned in two places:

  • From the Users page using Edit Project Roles

  • From within a project’s Users tab

From the Users page:

From the Project page (Settings > Projects > Specific project) users can be added to projects by clicking into the Users tab and selecting + Add User.

Select one or more users and either Remove from the project or Edit the role assignments.

Users who are removed from a project will no longer be able to see anything associated to that project throughout the Organization, even if they have elevated access in the workspace.

More Details about Roles and Projects

Workspace vs Project Role Evaluation

Workspace and project roles do not merge.

The evaluation rules are strict:

  • If a user is added to a project with no project roles assigned, the user inherits their workspace roles for that project.

  • If one or more project roles are assigned, all workspace roles are ignored for that project.

This allows workspace access and project access to be controlled independently and intentionally.

There are no exceptions to this behavior.

Subprojects and Role Inheritance

Projects may contain subprojects. Role inheritance between them follows the same explicit model.

By default, subprojects inherit the roles assigned at the parent project level.

If any role is assigned at the subproject level, inheritance is broken. The subproject will:

  • Not inherit roles from the parent project

  • Apply only the roles explicitly assigned at the subproject level

This applies regardless of whether the subproject roles grant fewer or more permissions than the parent.

Practical Permission Scenarios

A user may have full editing capability across the workspace while being restricted to operational tasks within a specific project. This is achieved by assigning an Edit-capable role at the workspace level and an Operate-only role at the project level.

Because project roles override workspace roles, the user’s editing permissions will not apply within that project.

This behavior is intentional and is a core feature of the role based permissions model.

Key Implications

The Role Based Permissions model is powerful but unforgiving. Small configuration changes can have wide-reaching effects.

Administrators should:

  • Favor multiple narrowly scoped roles over a single broad role

  • Treat project roles as overrides, not extensions

  • Be deliberate when breaking subproject inheritance

  • Regularly audit role usage and assignment

Groups

Groups allow you to manage workspace and project permissions in bulk. Instead of assigning roles to users individually, you can create a Group, assign one or more roles to that Group, and then control access simply by adding or removing users from the Group.

Groups are especially helpful when:

  • Multiple users share the same responsibilities

  • You frequently onboard or offboard users

  • You want consistent permission standards across teams

  • You need to manage access across projects in a scalable way

Groups work within the Role-Based Permissions model. Any roles assigned to a Group apply to all members of that Group.

How Groups Work

A Group includes:

  • Workspace Roles
    Roles that apply across the entire workspace (for example: E3:admin, E3:editor, E3:operator, etc.)

  • Project Roles
    Roles that apply only to specific projects or subprojects.

  • Group Members
    Users who inherit all roles assigned to the Group.

When a user is added to a Group, they automatically inherit:

  • All workspace roles assigned to that Group

  • All project roles assigned to that Group

If a user is removed from the Group, those permissions are removed accordingly.

Creating a Group

  1. Navigate to Settings > Users.

  2. Select the Groups tab.

  3. Click Create User Group.

  4. Enter a Group Name.

  5. Assign any applicable Workspace Roles.

    • Click the dropdown under Workspace Roles.

    • Select one or more roles.

    • These roles will apply to all members of the Group at the workspace level.

  6. Assign any applicable Project Roles.

    • Expand the relevant project.

    • Select project-level permissions as needed.

  7. Add users under Group Members.

  8. Click Create.

Once created, the Group will appear in the Groups list.

Editing an Existing Group

To modify a Group:

  1. Click the name of the Group you want to edit.

  2. You can update:

    • The Group Name

    • Assigned Workspace Roles

    • Assigned Project Roles

    • Group Members

  3. Click Save.

Changes take effect immediately for all members of the Group.

Adding or Removing Users from a Group

To manage membership:

  1. Click on anywhere on the Group row

  2. Under Group Members, click + Add Users to add members.

  3. To remove a user, click the trash icon next to their name.

  4. Click Save.

This immediately updates the user’s inherited permissions.

Best Practices for Using Groups

1. Organize Groups by Function, Not Individuals

Create Groups based on roles or responsibilities, such as:

  • Operations Team

  • Engineers

  • Reviewers

  • External Contractors

  • QA Team

Avoid creating Groups for individual users.

There is no limit to the number of groups that can be created or the number of groups a user can belong to. Users may be members of multiple groups simultaneously.

This flexibility allows organizations to model access in a way that reflects how their teams operate. Because permissions are derived from group membership, reviewing a user’s assigned groups provides a clear view into how their access is structured.

2. Separate Workspace-Level and Project-Level Access Strategically

Use Workspace Roles for:

  • Platform-wide responsibilities (Admins, Editors)

Use Project Roles for:

  • Project-specific access (Operators for Mission A, Viewers for Project B)

This prevents over-permissioning.

3. Use Groups for Onboarding and Offboarding

When onboarding:

  • Add the new user to any / all of the appropriate Groups.

  • No need to manually assign roles one by one.

When offboarding:

  • Remove the user from Groups or deactivate the user entirely.

  • This ensures clean and consistent permission removal.

4. Minimize Direct User Role Assignments

Whenever possible, assign roles through Groups instead of directly to individual users. This improves:

  • Consistency

  • Auditability

  • Scalability

  • Reduced administrative overhead

5. Use Naming Conventions

Adopt clear naming conventions such as:

  • Ops – Operator

  • Engineering – Editor

  • QA – Viewer

  • Mission A – Operators

This makes permission management easier as your workspace grows.

Summary

Groups are a scalable way to manage permissions in Epsilon3. By assigning roles to Groups and managing access through membership, teams can maintain consistent access control, simplify onboarding, and reduce administrative complexity.

Groups fully support and extend the Role-Based Permissions model, enabling permission management at both the workspace and project levels.

What to Expect with the Permissions Update

The Role Based Permissions model is an upgrade to the existing permissions system and introduces greater flexibility in how permissions are defined and applied. While this update includes changes to how permissions are configured and displayed in the user interface, it does not impact existing access or permission behavior at rollout. No preparation is required in advance, and current settings will continue to function as expected unless administrators choose to update or refine role assignments.

Related Articles
Projects
Operator Role Based Permissions
Project Permissions
Project Only Permissions Matrix / No Workspace Access
Epsilon3 Security Administration Guide
Did this answer your question?