Members and Roles
ArchNGN uses three levels of role-based access: administrative roles, user roles, and read-only roles.
Administrative roles control platform-wide access. User roles and read-only roles control what you can do within a specific workspace. Account Admins have implicit Admin access to all workspaces.
Permissions Reference
Section titled “Permissions Reference”| Feature | Account Admin | Account User | Account Viewer |
|---|---|---|---|
| Manage account settings | Yes | No | No |
| Manage users & roles | Yes | No | No |
| Create, edit, delete workspaces | Yes | No | No |
| Import & export workspaces | Yes | No | No |
| Create, edit, delete objects & associations | Yes | Yes | No |
| Create, edit, delete integrations | Yes | Yes | No |
| Run automations | Yes | Yes | No |
| View jobs | Yes | Yes | No |
| View usage | Yes | Yes | No |
| View registry, explorer, reports, metamodel | Yes | Yes | Yes |
| View the audit log | Yes | No | No |
Object and association management requires the Workspace Admin role within the specific workspace, or Account Admin access.
How Permissions Work
Section titled “How Permissions Work”Under the hood, every action maps to a capability (for example workspace:write, connector:write, job:run, audit:read), and each role grants a set of capabilities. The built-in roles are cumulative: everything a Viewer can do, a User can do; everything a User can do, an Admin can do. The application checks capabilities, not role names, on every request and hides UI controls you don’t have the capability for.
Accounts can also define custom roles: a named set of capabilities tailored to your organisation (for example, a “Connector Operator” who can manage connectors but not members). Custom roles are scoped to your account and never visible to other tenants. Contact support@archngn.com if you need a custom role configured.