Workspace roles and custom RBAC

Elido has four built-in workspace roles. They cover most teams; custom roles on Business let you fine-tune when "Admin" is too much and "Editor" is too little.

Built-in roles#

Role	Links	Members	Domains	Billing	Audit log
Owner	RW	RW	RW	RW	R
Admin	RW	RW	RW	R (read-only)	R
Editor	RW	R	R	—	R (own actions only)
Viewer	R	R	R	—	—

R = read, RW = read/write, — = no access. The matrix is a simplification — see the per-area notes below for details.

What each role can actually do#

Owner. The role used by whoever created the workspace and anyone they've promoted. Owners are the only role that can:

Change the billing plan or payment method.
Delete the workspace.
Promote / demote other Owners.

A workspace must always have at least one Owner. If the last Owner leaves, the system auto-promotes the longest-tenured Admin.

Admin. Day-to-day workspace administration without billing access. Admins manage links, domains, webhooks, members, and integrations. They can read billing pages but cannot change cards or plans.

Editor. The default for individual contributors. Can create / edit / delete links, run bulk imports, generate QR codes, and manage webhooks. Cannot invite people, change workspace settings, or add custom domains.

Viewer. Read-only across the dashboard. Sees links and analytics; cannot click any action button. Useful for stakeholders, auditors, and read-only BI / Looker users.

Custom roles (Business plan)#

Business workspaces can define custom roles with a checklist of permissions. The permission set:

links.read / links.write
analytics.read
domains.read / domains.write
members.read / members.write
billing.read / billing.write
audit_log.read
webhooks.write
api_keys.create (issue keys with role ≤ your own)
qr.read / qr.write
bio.write
branding.write (white-label customisation)

Create one in Settings → Roles → New role. Pick a name, tick the permissions, save. Assign to a member from the member's row in the member list. Roles can be edited later; changes propagate within 60 seconds.

Role and API keys#

API keys are role-bound. An editor API key can write links; an admin API key can do everything an admin user can. Issuing a key with a higher role than your own workspace role is not allowed — the API rejects with 403.

Demoting a user does not revoke their API keys automatically. They keep the role they had when they were issued. To enforce demotion, revoke the user's keys explicitly from Settings → API keys → Manage user keys.

Transferring ownership#

To hand ownership to someone else:

Open the member's row → Set role: Owner.
Optionally set your own role down to Admin or lower.

There's no "transfer workspace" wizard — every Owner has equal rights, and you can have as many Owners as you want. For a clean handoff, promote the new Owner first, confirm they have access, then demote yourself.

Removing a member#

Removed members lose dashboard access immediately. Their personal API keys are revoked within 60s. Links they created remain owned by the workspace (not the user), so nothing breaks on the link side.

Audit log entries created by the removed user are kept indefinitely — removal does not anonymise history.

Troubleshooting#

A user says they can't see a link they created. Check their role — if you demoted them to Viewer, they can still see the link if they're in the workspace, but they can't edit it. If you also moved them out of the folder, restore folder access.

API key works for a user even after I demoted them. API keys keep their original role. Revoke the key from Settings → API keys to force a re-issue.

Custom role is missing a permission I need. The permission set is fixed (see list above). If something genuinely critical is missing, email support@elido.app with the use case — we add capabilities to the permission set when there's demand.

Bulk role change. Use the SCIM API: group memberships in your IdP map to roles in Elido. See SSO + SCIM for setup. SCIM-controlled roles can't be edited in the dashboard — they're whatever the IdP says.