Roles & Permissions
Nembl uses role-based access control (RBAC) to govern what users and agents can do within your company. Every member is assigned one or more roles that determine their permissions across the platform.
System Roles
Nembl provides three built-in system roles that cannot be modified or deleted.
| Role | Description | Typical Use |
|---|---|---|
| Owner | Full control over the company account, billing, and all resources. Cannot be removed except by transferring ownership. | Company founder or primary administrator |
| Admin | Can manage users, roles, groups, teams, policies, and company settings. Cannot transfer ownership or delete the company. | IT administrators, department heads |
| Member | Can access assigned services, submit requests, view their own inbox and tasks. No administrative privileges. | General employees, contractors |
Every new user who accepts an invitation is assigned the Member role by default unless the inviting admin specifies a different role.
Custom Roles
When system roles are not granular enough, create custom roles to match your organization's structure.
Creating a Custom Role
- Navigate to Settings > IAM > Roles.
- Click Create Role.
- Enter a role name and optional description (e.g., "Service Manager" or "Read-Only Auditor").
- Select the permissions to include. Permissions are grouped by resource type:
- Services -- create, read, update, delete, publish
- Workflows -- create, read, update, delete, publish, execute
- Requests -- create, read, update, assign, close
- Organizations -- create, read, update, delete
- Teams -- create, read, update, delete, manage members
- Users -- invite, read, update, disable
- Policies -- create, read, update, delete
- Secrets -- create, read, update, delete
- Billing -- view plans, manage subscription
- Click Save.
Permission Format
Each permission follows the pattern resource:action. For example:
services:create
workflows:publish
requests:assign
teams:manage_membersYou can use wildcards to grant all actions on a resource:
services:* # All service permissions
workflows:* # All workflow permissionsAssigning Roles to Users
Individual Assignment
- Navigate to Settings > IAM > Members.
- Click on the user you want to modify.
- In the Roles section, click Add Role.
- Select one or more roles from the dropdown.
- Click Save.
Bulk Assignment via Groups
Rather than assigning roles to individual users, assign roles to groups. All members of the group inherit the group's roles. This is the recommended approach for organizations with more than a handful of users.
Role Precedence
When a user has multiple roles (either directly assigned or inherited through groups), permissions are combined additively. If any role grants a permission, the user has that permission. Explicit Deny policies always override role-based Allow permissions -- see Policies & ABAC for details.
Viewing Effective Permissions
To see the complete set of permissions a user has after combining all roles, group memberships, and policies:
- Navigate to Settings > IAM > Members.
- Click on the user.
- Open the Effective Permissions tab.
This view resolves all role assignments, group inheritance, and policy overrides into a single list of allowed and denied actions.
Best Practices
- Use system roles for most users. The Owner/Admin/Member model is sufficient for many small teams.
- Create custom roles for specialized access. For example, a "Workflow Designer" role that can create and publish workflows but cannot manage users.
- Prefer group-based assignment. Assign roles to groups rather than individuals to simplify management as your team grows.
- Audit role assignments regularly. Review who has Admin and Owner roles quarterly to ensure least-privilege access.
- Use policies for exceptions. If a user needs most of a role's permissions but should be denied one specific action, use a Deny policy rather than creating a new role.