Members, roles & groups
How base roles, member groups, and scoped permissions control access across your organization.
Access in Votare comes from three layers working together: a base role that sets someone's overall level of control, member groups that scope which voting, events, and reports they touch, and scoped role assignments that grant one specific capability without making someone an admin. This guide explains each layer and how to combine them.
Base roles#
Every member has exactly one base role:
| Role | What they can do |
|---|---|
| Owner | Full control, including deleting the organization. Holds owner-only permissions no one else can be granted. |
| Admin | Manage members, manage settings, and use most features. |
| Member | The default role. Participates in the features you enable. |
Most people should stay as members. Reserve admin for people who genuinely need to manage settings and other members, and grant everything else through scoped assignments (below) so you don't over-provision access.
Member groups and tags#
Member groups are named collections such as Dev, Design, or PM. A single user can belong to several groups at once, and groups aren't just labels — they scope real behavior:
- Weekly MVP voting is per group — each group votes among its own members.
- Events are scoped to groups — only members of a group can RSVP to or be selected for that group's events.
- Report visibility can be limited to specific groups.
Set groups up to mirror how your team actually splits its work. Because voting and events key off group membership, keeping groups accurate is what keeps those features pointed at the right people.
Scoped role assignments#
Scoped role assignments grant a single capability without promoting someone to admin. Each assignment can be given to an individual user or to an entire group (so, for example, everyone in the PM group can author reports), and unless noted they apply at the organization level.
| Permission | Also known as | Grants | Notes |
|---|---|---|---|
report:author | — | Create monthly reports | Assign to your reporting leads or a whole group. |
planner:edit | Resource coordinator | Edit Planner allocations | Without it, members can only view the Planner. |
timetracker:view | — | Use the Time Tracker | Required to record and see time. |
events:manage | Event organizer | Create and manage events without org-wide admin | Can be granted org-wide, or scoped to a single event. |
mvp:view-history | — | View MVP leaderboards and history | Read access to past results. |
mvp:view-audit-trail | — | See which voter picked which candidate | Owner only. Cannot be granted to anyone else. |
Notes on specific permissions#
- Resource coordinator (
planner:edit) — this is the difference between someone who can shuffle allocations and someone who can only look. Grant it to the people who own capacity planning. - Event organizer (
events:manage) — grant it org-wide to a standing events team, or attach it to a single event so a person can run just that one without touching anything else. - MVP audit trail (
mvp:view-audit-trail) — deliberately restricted to the owner. The ordinary MVP history permission shows results and leaderboards; only the audit trail reveals who voted for whom, and that stays with the owner. See Audit logs, email logs & security.
Invitations#
Bring people in from Settings → Members using either method:
Email invitations#
- Sent to a specific address.
- Expire 30 days after sending.
- Can be resent at any time.
- Track a status of pending, accepted, or expired.
Invite codes#
- Share a code or link for self-service joining.
- Configure an expiry and a maximum number of uses.
For a step-by-step onboarding walkthrough, see Getting started as an admin.
What gets audited#
Changes to who's in the organization and what they can do are recorded in the audit log, including:
- Role changes — when someone's base role is changed.
- Member removals — when someone is removed from the organization.
You can review these entries, with actor and timestamp, in Settings. See Audit logs, email logs & security for how to filter and interpret the log.
Putting it together#
A common setup looks like this:
- Owner — you (or a small number of trusted people).
- Admins — one or two people who help manage settings and members.
- Members — everyone else, sorted into Dev / Design / PM groups.
- Scoped grants — give the PM group
report:author, give your planning leadplanner:edit(resource coordinator), and attachevents:manageto whoever is running the next event.
This keeps admin access tight while still letting the right people do the specific things they need.