Skip to main content

Overview

Roles & Permissions is the foundation of Elementum’s security model. Best practice is to assign permissions through roles rather than to individual users. This approach ensures consistent access control, simplifies management across large teams, and keeps role assignments audit-ready for compliance reviews. Elementum supports two permission scopes:
  • Organization-level — Grants access across all apps the user can reach. Use for administrative oversight roles such as IT administrators or compliance officers.
  • App-level — Grants access only to a specific app, element, or task and its related features. Use for department-specific or project-scoped roles.
Organization-level permissions cascade down to all accessible apps. Assign org-level roles carefully and primarily for administrative oversight.

Managed Roles

Managed roles are predefined roles with standard permission sets. Permissions are fixed; you manage membership only (users and groups). Organization managed roles and app managed roles are different sets—use the tabs below to compare them.
Open Settings icon Org SettingsRoles & Permissions, then select the Organization roles tab. The Managed roles list shows predefined organization roles; use Manage membership on each card to assign users and groups.
  • Admin — Full access to Elementum Admin functions and organization settings, including company-wide configuration.
  • API Developer — Permissions to access and run Elementum APIs across the platform.
  • App Admin — Create or edit apps, tasks, and elements at the organization level, within sharing and access policies that apply to what this user can reach.
  • Bulk Import Admin — Use bulk import and bulk update from list views on apps, tasks, and elements.
  • External Create — View, create, and update records; read and post to conversations on records the user can access (for external collaboration patterns).
  • External Update — View and update records; read and post to conversations on accessible records according to access policies.
  • Internal User — View, create, and update records, conversations, and attachments across apps, tasks, and elements the user can access.
  • Service Requestor — Create service requests for users or groups that need to submit service requests through your workflows.
App Admin at the organization level is not the same role as App Admin under App roles. Organization App Admin applies org-wide; app App Admin applies only within one app.

Custom Roles

Custom roles let you define any combination of permissions to match your organization’s specific workflows.

Create a Custom Role

  1. Open Settings icon Org Settings.
  2. Click Roles & Permissions.
  3. Click Create Custom Role, enter a descriptive Role Name, and add a Description explaining the role’s purpose.
  4. Select the Users and Groups who should have this role. Optionally configure Auto Share Options (see below).
  5. Set permissions for each resource type. See Permission Types for the full list of granular options.
Custom roles can also be created directly in your app. Click Roles & Permissions under the Security section of an app menu.

Auto Share Options

Configure roles to be automatically assigned when users interact with records. Available triggers:
  • When user is added as a watcher — Automatically assigns the role when someone watches a record
  • When user is assigned to a record — Assigns when a user becomes the record assignee
  • When user is @mentioned — Assigns when a user is mentioned in comments
  • When a record is shared with a user — Assigns when records are explicitly shared

Permission Types

Custom roles can include many granular permissions, grouped by resource type in the role editor. Use the quick picker at the top to apply common bundles (View, Edit, or Admin access) where available, then adjust individual permissions as needed.
  • Admin Access
  • Create Assignment Rules, View Assignment Rules, Update Assignment Rules, Delete Assignment Rules
  • View Data Sources
  • Create Objects (Apps, Elements, Tasks)
  • View Objects (Apps, Elements, Tasks)
  • Update Objects (Apps, Elements, Tasks)
  • Delete Objects (Apps, Elements, Tasks)
  • View Apps
  • Create Tags, Update Tags, Delete Tags
  • Create Attachments
  • View Attachments
  • Update Attachments
  • Delete Attachments
  • Create Conversations
  • View Conversations
  • Update Conversations
  • Delete Conversations
  • Create Messages
  • View Messages
  • Update Messages
  • Delete Messages
Documents
  • Create Documents
  • View Documents
  • Update Documents
  • Delete Documents
Workflows
  • Create Workflows
  • View Workflows
  • Update Workflows
  • Delete Workflows
Data Mines
  • Create Data Mines
  • View Data Mines
  • Update Data Mines
  • Delete Data Mines
  • Create Element Relations
  • Delete Element Relations
  • Create Record Sharing
  • Delete Record Sharing
  • View Activity Logs
  • Create Document Models
  • View Document Models
  • Update Document Models
  • Delete Document Models
  • Create Records
  • View Records
  • Update Records
  • Delete Records
  • Bulk Update Records
  • Create Data Access Policies
  • View Data Access Policies
  • Update Data Access Policies
  • Delete Data Access Policies
  • View Tags
  • Create Analytics Events
  • View Analytics Events
  • Create Charts
  • View Charts
  • Update Charts
  • Delete Charts
  • Create Dashboards
  • View Dashboards
  • Update Dashboards
  • Delete Dashboards
  • View Metrics
  • View Skills
  • View Analysts
  • Update Analysts
Providers
  • Create AI Provider
  • View AI Provider
  • Update AI Provider
  • Delete AI Provider
Connectors
  • Create AI Provider Connector
  • View AI Provider Connector
  • Update AI Provider Connector
  • Delete AI Provider Connector
  • Create Agents
  • View Agents
  • Update Agents
  • Delete Agents
  • Delete Groups
  • Create OAuth Tokens
  • Delete OAuth Tokens
  • Create Organization Users
  • Update Organization Users
  • Create Organization Structures
  • Update Organization Structures
  • Delete Organization Structures
  • Create Roles
  • View Roles
  • Update Roles
  • Delete Roles
  • Create Object Level Roles (Apps, Elements, Tasks)
  • View Object Level Roles (Apps, Elements, Tasks)
  • Update Object Level Roles (Apps, Elements, Tasks)
  • Delete Object Level Roles (Apps, Elements, Tasks)
  • Create Service Accounts
  • View Service Accounts
  • Update Service Accounts
  • SCIM Integration
  • Create Groups
  • View Groups
  • Update Groups
  • Create Service Requests
  • View Service Requests
  • Update Service Requests
  • Delete Service Requests
  • Create Marketplace Apps
  • View Marketplace Apps
  • Create Service Level Agreements
  • View Service Level Agreements
  • Update Service Level Agreements
  • Delete Service Level Agreements
Users can hold multiple roles simultaneously — permissions are additive across all assigned roles.

User Invite Policy

The User Invite Policy is an organization-level setting that controls which users can invite new people into the organization. Find it in Settings icon Org SettingsGeneral. The policy applies on top of the CREATE_ORGANIZATION_USERS permission. Users must first have this permission, and the policy then further restricts what they can do.
Users with the ADMIN permission always bypass the policy and can invite anyone regardless of the setting.

Policy Options

The most restrictive setting. Only administrators can invite new users.Behavior:
  • Admins: Can invite any user (any email domain)
  • Non-admins: Cannot invite anyone, even if they have CREATE_ORGANIZATION_USERS permission. Requests are rejected with a validation error.
Use case: Organizations that want centralized control over user provisioning.
The User Invite Policy only affects inviting new users into the organization. Adding existing organization users to resources like customer chat channels is controlled separately by the UPDATE_CONVERSATIONS permission.

Manage Roles

  1. Open Roles & Permissions for the scope you need: Org SettingsRoles & Permissions for organization roles, or Roles & Permissions under Security in an app menu for that app’s roles.
  2. Click Manage Role on any role to add or remove users and groups.
  3. For custom roles, modify permissions and settings as business needs change.
  4. Remove custom roles that are no longer needed. Managed roles cannot be deleted.

Best Practices

Security Principles

  • Principle of least privilege — Grant only the minimum permissions necessary for users to perform their job functions.
  • Separation of duties — Ensure critical functions require multiple roles or approvals.
  • Regular audits — Periodically review role assignments and permissions to confirm they remain appropriate. All role changes are logged in the Activity Log.
  • Descriptive naming — Use clear, descriptive role names that indicate purpose and scope.

Common Security Patterns

Separate roles by function rather than hierarchy. Create roles based on job responsibilities, avoid overly broad permissions, and prefer multiple specific roles over one broad role.
Use custom roles for temporary or project-based access. Create time-limited roles for contractors, remove access when projects complete, and regularly clean up unused roles.
Plan for emergency access scenarios. Designate emergency administrators, document emergency procedures, and test emergency access regularly.