Roles & Permissions
Flowstate uses role-based access control (RBAC) to govern what users can see and do across the platform. Users are assigned roles, and each role contains a set of permissions that determine access to specific features and data.
Overview
The RBAC model has three layers:
| Layer | Scope |
|---|---|
| Organization Roles | Assigned to a user at the organization level via a Role |
| Team-Level Access | Line managers receive implicit permissions for their teams |
| Direct User Grants | Individual permissions granted directly to a user |
Permissions are additive -- a user's effective permissions are the union of all permissions from their role, team-level access, and any direct grants.
Roles
A role is a named collection of permissions. Roles are managed in Settings > Roles & Permissions and have the following properties:
| Field | Description |
|---|---|
name | Display name for the role (e.g., "Admin", "Viewer", "Finance Lead") |
description | A short explanation of the role's purpose |
isSystem | Whether this is a built-in system role (cannot be deleted) |
isTenantAdminOnly | Whether this role is restricted to tenant administrators |
dashboardViewMode | Default dashboard view mode for users with this role (defaults to INSIGHTS) |
System Roles
System roles are built into Flowstate and cannot be deleted. They serve as baseline templates and cover the most common access patterns. You can identify them by the isSystem flag.
TIP
Use system roles where they fit your organization's needs. Create custom roles only when you need a permission combination that no system role provides.
Custom Roles
Create custom roles to match specific job functions in your organization. For example, you might create a "Finance Analyst" role with read access to financial details and forecasts but no ability to modify employee records.
- Navigate to Settings > Roles & Permissions
- Click Create Role
- Enter a name and description
- Select the permissions for this role (see Permission Reference below)
- Click Save
Managing roles requires the SETTINGS_RBAC_* permissions:
| Action | Permission |
|---|---|
| View roles | SETTINGS_RBAC_VIEW |
| Create roles | SETTINGS_RBAC_CREATE |
| Update roles | SETTINGS_RBAC_UPDATE |
| Delete roles | SETTINGS_RBAC_DELETE |
WARNING
Deleting a custom role removes it from all users who currently have it assigned. Affected users lose those permissions immediately. Reassign them to a different role before deleting.
Permission Reference
Permissions are organized by functional area. Each permission controls access to a specific action or set of actions within that area.
Settings -- Entity Configuration
Control access to organizational entities such as teams, work types, value streams, cost centres, and other configuration data.
| Permission | Description |
|---|---|
SETTINGS_ENTITY_CONFIG_VIEW | View entity configuration settings |
SETTINGS_ENTITY_CONFIG_CREATE | Create new entity configuration entries |
SETTINGS_ENTITY_CONFIG_UPDATE | Modify existing entity configuration |
SETTINGS_ENTITY_CONFIG_DELETE | Delete entity configuration entries |
Settings -- Financial Configuration
Control access to financial settings including currencies, exchange rates, and cost parameters.
| Permission | Description |
|---|---|
SETTINGS_FINANCIAL_CONFIG_VIEW | View financial configuration settings |
SETTINGS_FINANCIAL_CONFIG_CREATE | Create financial configuration entries |
SETTINGS_FINANCIAL_CONFIG_UPDATE | Modify financial configuration entries |
SETTINGS_FINANCIAL_CONFIG_DELETE | Delete financial configuration entries |
Settings -- Data Import
| Permission | Description |
|---|---|
SETTINGS_DATA_IMPORT | Import data from external sources |
Settings -- RBAC
Control who can manage roles and permissions themselves.
| Permission | Description |
|---|---|
SETTINGS_RBAC_VIEW | View roles and their permissions |
SETTINGS_RBAC_CREATE | Create new roles |
SETTINGS_RBAC_UPDATE | Modify existing roles |
SETTINGS_RBAC_DELETE | Delete roles |
Settings -- User Invitations
| Permission | Description |
|---|---|
SETTINGS_USERS_INVITE | Invite new users to the organization |
Settings -- Integrations
Control access to integration settings including API keys, SCIM provisioning, and SIEM endpoints.
| Permission | Description |
|---|---|
SETTINGS_INTEGRATIONS_VIEW | View integration configurations |
SETTINGS_INTEGRATIONS_CREATE | Create new integrations |
SETTINGS_INTEGRATIONS_UPDATE | Modify existing integrations |
SETTINGS_INTEGRATIONS_DELETE | Delete integrations |
Financial Detail
Control the level of financial information visible to the user.
| Permission | Description |
|---|---|
FINANCIALS_VIEW_SUMMARY | View aggregated financial summaries (team/project level) |
FINANCIALS_VIEW_DETAILED | View individual salary, contractor rate, and cost data |
WARNING
FINANCIALS_VIEW_DETAILED grants access to individual compensation data. Assign this permission only to users who need it for their role, such as finance leads and HR business partners.
Team Plan -- Employees
| Permission | Description |
|---|---|
TEAM_EMPLOYEES_VIEW | View employee records and allocations |
TEAM_EMPLOYEES_CREATE | Create new employee records |
TEAM_EMPLOYEES_UPDATE | Modify employee records and allocations |
TEAM_EMPLOYEES_DELETE | Remove employee records |
TEAM_EMPLOYEES_MODIFY_COMPENSATION | Change employee salary and compensation |
Team Plan -- Teams
| Permission | Description |
|---|---|
TEAM_TEAMS_VIEW | View team structure and membership |
TEAM_TEAMS_CREATE | Create new teams |
TEAM_TEAMS_UPDATE | Modify team details and structure |
TEAM_TEAMS_DELETE | Delete teams |
Team Plan -- Contractors
| Permission | Description |
|---|---|
TEAM_CONTRACTORS_VIEW | View contractor records |
TEAM_CONTRACTORS_CREATE | Create new contractor records |
TEAM_CONTRACTORS_UPDATE | Modify contractor records |
TEAM_CONTRACTORS_DELETE | Remove contractor records |
Team Plan -- Vacancies
| Permission | Description |
|---|---|
TEAM_VACANCIES_VIEW | View vacancy records |
TEAM_VACANCIES_CREATE | Create new vacancy records |
TEAM_VACANCIES_UPDATE | Modify vacancy records |
TEAM_VACANCIES_DELETE | Remove vacancy records |
Team Plan -- Skills
| Permission | Description |
|---|---|
TEAM_SKILLS_VIEW | View skills and competency data |
TEAM_SKILLS_CREATE | Create new skill definitions |
TEAM_SKILLS_UPDATE | Modify skill definitions |
TEAM_SKILLS_DELETE | Delete skill definitions |
Roadmap -- Projects
| Permission | Description |
|---|---|
ROADMAP_PROJECTS_VIEW | View projects and project details |
ROADMAP_PROJECTS_CREATE | Create new projects |
ROADMAP_PROJECTS_UPDATE | Modify project details |
ROADMAP_PROJECTS_DELETE | Delete projects |
Roadmap -- Initiatives
| Permission | Description |
|---|---|
ROADMAP_INITIATIVES_VIEW | View initiatives |
ROADMAP_INITIATIVES_CREATE | Create new initiatives |
ROADMAP_INITIATIVES_UPDATE | Modify initiatives |
ROADMAP_INITIATIVES_DELETE | Delete initiatives |
Roadmap -- Drivers
| Permission | Description |
|---|---|
ROADMAP_DRIVERS_VIEW | View strategic drivers |
ROADMAP_DRIVERS_CREATE | Create new drivers |
ROADMAP_DRIVERS_UPDATE | Modify drivers |
ROADMAP_DRIVERS_DELETE | Delete drivers |
Cost Forecast
| Permission | Description |
|---|---|
FORECAST_VIEW | View cost forecasts and financial models |
Scenario Plans
| Permission | Description |
|---|---|
PLANS_CREATE | Create new scenario plans |
PLANS_MANAGE | Manage scenario plans (edit, publish, archive) |
Effort Tracking
| Permission | Description |
|---|---|
EFFORT_TRACKING_VIEW | View effort tracking data and reports |
EFFORT_TRACKING_SUBMIT | Submit effort entries |
EFFORT_TRACKING_OVERRIDE | Override submitted effort entries |
EFFORT_TRACKING_APPROVE | Approve effort submissions |
Audit
| Permission | Description |
|---|---|
AUDIT_VIEW | View audit logs and activity history |
AUDIT_CONFIGURE | Configure audit settings and retention |
AUDIT_CONFIRM | Confirm and acknowledge audit findings |
AUDIT_EXPORT | Export audit log data |
Assigning Roles to Users
Manual Assignment
- Navigate to Settings > Users
- Click on the user you want to modify
- Under Role, select the desired role from the dropdown
- Click Save
Changing a user's role requires the SETTINGS_RBAC_UPDATE permission.
Group-to-Role Mapping (SSO)
When using SAML 2.0 or OAuth 2.0 for authentication, you can map identity provider groups directly to Flowstate roles. This allows you to manage Flowstate access from your IdP rather than configuring roles individually in Flowstate.
| IdP Group Name | Flowstate Role | Effect |
|---|---|---|
Flowstate-Admins | Admin | Full access including all settings |
Flowstate-Editors | Editor | Create and modify plans and data |
Flowstate-Viewers | Viewer | Read-only access to plans and data |
Configure group-to-role mappings in the auth provider settings:
When a user authenticates via SSO, Flowstate evaluates their IdP group memberships against the configured mappings and assigns the appropriate role.
WARNING
If a user belongs to multiple mapped groups, they receive the highest-privilege role. For example, membership in both Flowstate-Viewers and Flowstate-Admins results in the Admin role being assigned.
SCIM Provisioning
When SCIM 2.0 provisioning is enabled, group membership changes in your IdP are automatically synced to Flowstate. Adding a user to a mapped group in your IdP updates their Flowstate role without manual intervention.
See the SCIM group-to-role mapping guide for details.
Team-Level Access
Line managers receive implicit permissions for the teams they manage. This allows managers to view and manage their direct reports without requiring organization-wide permissions.
Team-level access is determined by the team's manager assignment in Flowstate and does not require a separate role configuration.
Best Practices
- Follow the principle of least privilege -- Assign users the minimum permissions required for their job function. Start with a restrictive role and add permissions only as needed.
- Use system roles where possible -- System roles cover common access patterns and are maintained by Flowstate. Custom roles require ongoing maintenance as new permissions are added.
- Create custom roles for specific job functions -- If you have distinct job functions that do not map cleanly to a system role, create a custom role. Name it after the job function (e.g., "Finance Analyst", "Engineering Manager") rather than the permissions it contains.
- Use SSO group mapping -- If you use SAML or OAuth, manage role assignments through your IdP groups rather than manually in Flowstate. This ensures role changes follow your existing access governance processes.
- Review role assignments periodically -- Audit who has which role at least quarterly. Look for users with overly broad permissions, inactive users who should be deactivated, and roles with permissions that are no longer needed.
- Separate financial access carefully -- The
FINANCIALS_VIEW_DETAILEDandTEAM_EMPLOYEES_MODIFY_COMPENSATIONpermissions grant access to sensitive compensation data. Restrict these to finance, HR, and executive roles.
Related Pages
- SAML 2.0 Setup -- Configure SAML SSO and group-to-role mapping
- OAuth 2.0 Setup -- Configure OAuth SSO and group claims
- SCIM 2.0 Provisioning -- Automated user and group lifecycle management
- API Keys -- API key permissions and scope management
- Audit Logs -- Track role changes and permission modifications