Manage permissions and custom roles

  • Updated

Administrators can assign a predefined role or create and assign custom roles. After you invite a user to the platform, set their permissions by assigning them a user role.

Change user permissions

Admins of a instance can manage the permissions of others by going to Settings > Users & Teams. Change a user’s role by selecting a role from the drop-down menu to the right of the name.


Manage standard roles

Go to Settings > Users & Teams> Roles to view the Role Management table.


Standard roles are predefined in the Content Marketing Platform (CMP) and reflect the team members who are typically involved in the marketing campaign and content execution process. Standard roles come with permissions that you cannot change.

  • Admin – Can access everything and can view and modify all tasks. Admins can also manage users, teams, workflows, and other organization settings.
  • Creators – Can access the entire platform, except administrative settings. Can create and contribute to campaigns and tasks.
  • Collaborators – Can access work that is assigned to them, or if work has a shared campaign or task; cannot create campaigns or tasks.
  • Guest – Can only submit requests and view the requests module. Within the requests module, can manage their submitted requests and view where requests are in the queue.
  • Library View-Only – Can access (view, search and download assets) the library module only.

Manage custom roles

Custom roles let admins meet specific requirements or support edge cases (such as Freelancer or Agency).

To create a custom role:

  1. Go to the Roles tab and click Create Role.
  2. Enter the name of the new role, an existing role to base its permissions on, and a short description of the role. The description displays when you hover over the role name and in the Users tab, o provide context when assigning the role to a user.
  3. Click Create. The new role displays in the first column of the table with the initial configuration of permissions equivalent to the role you selected. Use the table to adjust these permissions.
  4. Click Save.

When you creating a custom role, you can set permission levels by:

  • turning a module on/off for a custom roles
  • defining the level access the role has if a module is turned on

Open the options menu (...) in a Role column heading and select one of the following:

  • Edit Name & Description – Enter the name and optional description for the role.


  • Edit Permissions – Turning a view ON lets a user in this role to collaborate on existing work within that module. For example, if you choose to turn Campaigns off for a specific custom role, anyone assigned that role cannot see Campaigns in their navigation bar but they still can collaborate on campaigns they have access to. You can turn on or off the following main views. You can customize some views further, such as showing View Dashboard, but not View Home.
    • Dashboard
    • Idea Lab
    • Marketplace
    • Calendar
    • Campaigns
    • Tasks & Pitch Manager
    • Library
    • Analytics
    • Requests


    If you have turned ON a specific view for a custom role, you also need to define the level of access to that view that the custom role has.

    • When you turn on a view for a custom role, the user can collaborate on work within that view.
    • You can grant Creator privileges to create new objects (such as campaigns or tasks) within that view.
    • You can grant admin privileges to a custom role providing Admin or Budget access.
  • Delete Role – Permanently removes a role from the table.

    A role must not be in use before you can delete it. Transfer users from that role to another role before deleting the role.

Share a campaign

You can share only campaigns with other users. To share a campaign with another user:

  1. Click Share next to the members of the campaign.
  2. Enter the name of the person or team you want to share the campaign with. You can provide them with Can Edit, Can View or Can Comment access.


  3. Click Share to add them to the campaign.

Create default campaign sharing

With Default Campaign Sharing, administrators can define which teams or individuals are automatically granted access to created campaigns, and with what level of access (Edit, View, or Comment).

To set your Default Campaign Sharing setting:

  1. Go to Settings > Organization > Default Campaign Sharing and click +.
  2. Enter the name of the team or user you want to add to your setting. You can also choose whether to give them Edit, View, or Comment access.


  3. After you added your teams or users, click Add to save the selection. When a campaign is created, the teams and users defined here are automatically granted access with the appropriate access level.

Inherit campaign and task actions

Users who are granted edit, comment or view access to a campaign are granted the same to associated sub-campaigns and tasks in that campaign.

Share and watch tasks

Individual users or teams can share tasks. You can add watchers to your task to keep stakeholders informed about a task's progress.

You can share individual tasks without campaign access, giving users View, Comment, or Edit access to the specific task. This lets task owners manage task access, ensuring each user, agency or marketing partner has access to only the activities that are relevant to their work, and keep the rest of the campaign, sub-campaigns or other tasks private.


Share confirmations

Users can share a campaign, task or event by @mentioning a user in a comment. If you mention someone who does not have access to the task or asset, you are prompted to share with view, comment, or edit access upon posting the comment by clicking Comment or Reply.

When a user is @mentioned in a comment on a campaign, task or event they did not have access to previously, they are granted Comment access.

Request access

If you try to access a campaign but do not have permissions, click Request Access.


This lets marketers manage user permissions without needing to go to the Settings page.

Create a sub-campaign with inheritance turned on

If the campaign creator chooses to inherit permissions from a parent campaign, users that are granted edit, comment or view access to the parent campaign automatically are granted the same access level to the newly created sub-campaign. You cannot downgrade or remove the sub-campaign if it is being inherited from the parent campaign.

To create a sub-campaign with inheritance turned on (the default), ensure Inherit permissions from parent campaign is selected.


Create a sub-campaign with inheritance turned off

If a sub-campaign is created and the checkbox above is not selected, the sub-campaign is created and shared with the default teams or users selected in the Default Campaign Sharing settings.

Task inheritance

Users who are granted edit, comment or view access to a campaign are granted edit, comment or view access to the tasks within that campaign

Workflow actions

You can grant a user access to a task through assigning a step in a workflow. Assigning a user (no matter their role) in a workflow, grants them access to that task if they do not already have access from the campaign.

For example, as a Creator, you want to give someone on your legal team approver ability. Assign this person as a Collaborator in the platform, and then assign them to the Approve step within a specific task.

Discern rigid versus flexible workflow permissions

When you grant users access to a task, you can grant them one of the following permission levels:

  • View-Only – Access to tasks lets you download content or attachments; you cannot edit, comment or upload attachments.
  • Comment – Access to tasks lets you have the same level of access as View-only, plus you can comment and upload attachments on the task.
  • Edit – Access, in a task that uses a rigid workflow, lets you edit the Brief, Title, Campaign, Metadata, or Step/Task Due Date, and so on, and share the task with others. In a task using a flexible workflow, with Edit access you can perform all actions, including changing step assignees, editing/approving/publishing content, and more.

The following table shows actions a user with View, Comment, or Edit access can take in a rigid versus a flexible workflow:

  Rigid WF Flexible WF


(Task Creator/ Assignee)


Change Task Title or Campaign No Yes Yes* *If you do not want step-assignees to do this, grant them Comment access to the task No Yes
Archive or Delete Task No Yes Yes* *If you do not want step-assignees to do this, grant them Comment access to the task No Yes
Change Step Assignee No Yes Yes* *Only for unassigned steps No Yes
Change Step Due Date No Yes Yes   No Yes
Undo Step Yes* Yes Yes* *Only if the last completed step is assigned to that user No Yes
Send Back Step Yes Yes Yes   No Yes
Skip Step N/A N/A N/A   No Yes
Add or Remove Steps or Step Description N/A N/A N/A   No Yes
Complete Step Yes* Yes Yes* *Only if assigned a step and it is the current step No Yes
Mark Actions Complete Yes* Yes Yes* *Only if assigned a step and it is the current step No Yes
Complete "Publish" & "Approve" Steps Yes* Yes Yes* *Only if assigned a step, it is the current step, and it has the Publish or Approve action.    
Comment Yes Yes Yes   Yes/No Yes
Upload/Remove Attachments No Yes     No Yes
Fields No Yes Yes   No Yes

*For a list of workflow actions, see the Optimizely Content Marketing Platform (CMP) Glossary.