Roles & Permissions
Define user roles with specific permission levels to control access across your Compass workspace.
Overview
Roles are the foundation of access control in Compass. Each role defines:
- Module Access — Which modules users can see and use
- Widget Visibility — Which dashboard widgets are available
- Field Visibility — Which data fields are visible or editable
- Access Rules — Conditional permissions based on data attributes
How Roles Work
Users are assigned one or more roles, and their effective permissions are the combination of all assigned roles.
How it flows: User → Assigned Role(s) → which grant Permissions → allowing access to Features
Creating a Role
- Navigate to Users & Roles.
- Click the Add Role button in the header.
- Configure the role name and settings in the modal that appears.
Configuring a Role
Role Tabs
Each role is managed through several specialized tabs:
| Tab | Description |
|---|---|
| Module Permissions | Control high-level access to entire modules (e.g., Projects, Finance). |
| Widget Permissions | Toggle visibility of specific dashboard widgets. |
| Field Permissions | Set Read/Write access for individual data fields within modules. |
| Access Rules | Define conditional data filters (e.g., "See only my projects"). |
| User List | View all users currently assigned to this role. |
Role Action Buttons
The single role header provides the following action buttons:
| Button | Description |
|---|---|
| How Permissions Work | Opens a help modal explaining the permissions system |
| Delete | Permanently removes the role |
| Duplicate | Creates a copy of this role with the same permissions |
Module Permission Levels
When configuring Module Permissions, you can choose a predefined access profile or define granular rights:
| Profile | Description |
|---|---|
| Full Access | Complete Read, Write, and Delete rights for all records. |
| Read Only | Can view all records but cannot create, modify, or delete. |
| Own Records | Can Read, Write, and Delete only the records they own/are assigned to. |
| No Access | The module is hidden entirely from the role. |
| Custom | Manually define different levels for Read, Write, and Delete. |
Granular Rights (Custom)
For each module, you can set All, Own Records, or None for:
- Read: Ability to view records.
- Write: Ability to create or modify records.
- Delete: Ability to remove records.
→ Learn more about Module Permissions
Field Permissions
Control visibility and editability of specific data fields using two toggles — Read and Write:
| Read | Write | Effect |
|---|---|---|
| ✅ | ✅ | User can see and modify the field |
| ✅ | ❌ | User can see the field but cannot change it |
| ❌ | ❌ | The field is hidden from the user |
→ Learn more about Field Permissions
Access Rules
Conditional permissions based on data attributes:
Example Rules:
- "Project managers see only their own projects"
- "Finance team can view all budgets"
- "Regional users see projects in their region"
→ Learn more about Access Rules
Assigning Roles to Users
- Go to Users & Roles → Users tab.
- Click on a user to open their details.
- In the Base Information tab, select one or more roles in the Roles field.
- Click Save.
Note: "Effective permissions" are calculated by combining the rights of all roles assigned to the user.
Related
- Managing Users — User account management
- Module Permissions — Detailed module access
- Field Permissions — Field-level control
- Access Rules — Conditional access
- Access Codes — Invitation-based access