DaleaWiki

Roles and permissions

The five built-in workspace roles plus custom ones.

Dalea has two scopes of permission: organisation roles (control billing, member directory, workspace creation) and workspace roles (control day-to-day work inside a workspace).

A user always has exactly one role per organisation and exactly one role per workspace they belong to.

Organisation roles

Owner
Everything: invite/remove members, change tier, manage billing, create or delete workspaces, transfer ownership, delete the org. Typically one person.
Admin
Like Owner minus billing and org deletion. Day-to-day org administration.
Member
Read-only at the org level: see members, see workspaces. Doing work happens at the workspace level via workspace roles.

Workspace roles

Five built-in roles cover most labs. You can also define custom roles with arbitrary combinations of permissions.

Owner
Full control. Settings, members, OAuth clients, custom roles, deletion.
Data Engineer
Edit documents, comments, inventory and data — including schema changes (with audit reasons). Cannot delete the workspace or manage OAuth.
Editor
Edit documents, comments, and data records — but cannot change the schema or inventory structure.
Commenter
Read-only on data and documents. Can post comments and use the AI assistant.
Viewer
Read-only. No comments, no AI tool calls.

How permissions actually work

Internally, every action a user can take has a permission name (e.g. MANAGE_INVENTORY_STRUCTURE, EDIT_DOCUMENTS). Roles are bags of permissions, and the role hierarchy expands so granting a stronger permission implicitly grants its weaker neighbours: MANAGE_INVENTORY_STRUCTURE → EDIT_INVENTORY → VIEW_INVENTORY.

This means custom roles can never accidentally elevate above what they grant — you can't grant "edit inventory" without also granting "view inventory".

OAuth client roles

When you create an OAuth client (e.g. for Claude Desktop) you assign it a workspace role. The actual effective permissions when the app makes a call are the intersection of the user's permissions and the app's role: if you are a workspace Owner but you connected Claude with the Viewer role, Claude can only read.

What about platform admins?

Platform-level administration (cross-org visibility, audit health monitoring) is handled exclusively by Dalea's own operations team. Customers — including enterprise tenants — never see or manage other organisations.

What's next

Workspaces
Glossary
Previous
Templates and locking
Next
Glossary