Roles & Permissions

Overview

This page explains how roles map to permissions in Plexo. Permissions fall into two categories: system-level permissions (organization-wide) and context permissions (portfolio/project). System permissions always take precedence; when a user has a system role that grants a permission, it applies across all portfolios and projects. Without a system role, access is scoped to the specific portfolios/projects where the user is assigned as a leader or member.

Users without any system role cannot browse all projects. They only gain permissions within the projects where they are explicitly assigned as a Project Leader or Project Member. The same applies to portfolios for Portfolio Leaders.

System Roles

The following summarizes system-level capabilities:

ORGANIZATION_ADMIN

  • Manage organization and organization users
  • Manage organization calendar
  • Manage subscription and billing
  • Create/Manage/Delete portfolios
  • Create/Manage/Delete projects
  • View portfolios and projects (all)
  • Read organization overview, resource plans, and project overview

MANAGER

  • Manage organization calendar
  • Create/Manage/Delete portfolios
  • Create/Manage/Delete projects
  • View portfolios and projects (all)
  • Read resource plans and project overview

USER

  • View portfolios and projects (read-only at system level)

When you have no system role

Users without any system role cannot browse all portfolios/projects in the organization. Permissions only apply within contexts the user belongs to.

  • Projects: You can only see and access projects where you are assigned as a Project Leader or Project Member.
  • Portfolios: You can manage a portfolio only when you are assigned as its Portfolio Leader.
  • WBS/Tasks: You can view and edit only within your projects. Other projects are not visible or are restricted.
If you need organization-wide capabilities, request a system role such as ORGANIZATION_ADMIN or MANAGER, or be invited as a leader/member to the specific resource.

Portfolio Context

Portfolio permissions apply to users who are assigned as PORTFOLIO_LEADER for a specific portfolio. They do not grant global access beyond that portfolio.

  • Manage portfolio (settings, leader, contained projects)
  • Manage portfolio leader
  • Manage portfolio projects
System roles (ORGANIZATION_ADMIN, MANAGER) can manage any portfolio regardless of leader assignment.

Project Context

Project permissions apply to users who are assigned as PROJECT_LEADER or PROJECT_MEMBER for a given project.

PROJECT_LEADER

  • Manage project (overall settings)
  • Manage project leader
  • Manage schedule
  • Manage members and member attributes
  • Auto-start project
  • View WBS and Work Status
  • Write WBS

PROJECT_MEMBER

  • Auto-start project
  • View WBS and Work Status
  • Write WBS
System roles (ORGANIZATION_ADMIN, MANAGER) can manage any project regardless of project role.

WBS & Task Permissions

WBS

  • View WBS: ORGANIZATION_ADMIN, MANAGER, USER, PROJECT_LEADER, PROJECT_MEMBER'
  • Write WBS: ORGANIZATION_ADMIN, MANAGER, PROJECT_LEADER, PROJECT_MEMBER'

Tasks

Task permissions are evaluated on the frontend (context-based):

  • Add task / Modify task attributes: MANAGER, PROJECT_LEADER, PROJECT_MEMBER
  • Delete task: MANAGER, PROJECT_LEADER, PROJECT_MEMBER (only when project is PLANNED)
  • Modify original esimation (planned): MANAGER, PROJECT_LEADER, PROJECT_MEMBER
  • Modify original esimation (started): MANAGER, PROJECT_LEADER'
  • Modify other users' curEst/elapsed: MANAGER, PROJECT_LEADER'
  • Modify due date / assignee: MANAGER, PROJECT_LEADER, PROJECT_MEMBER'

Precedence

  • System permissions are evaluated first (organization-wide).
  • If no applicable system permission, context permissions (portfolio/project) are applied.
  • Without a system role and without portfolio/project assignment, users cannot access those resources.