Roles & Permissions
WeCheck uses a Role-Based Access Control (RBAC) model to ensure that team members only have access to the capabilities their function requires. This page is the canonical reference for all roles, their permissions, and how to manage them.
For a high-level overview of how roles relate to Workspaces, see Workspaces & Permissions.
The Four Roles
| Role | Scope | Best For |
|---|---|---|
| Org Admin | Organization-wide | IT Managers, CFOs, Security Officers |
| Workspace Admin | Single workspace | Investigative Leads, Team Managers |
| Analyst / Member | Single workspace | Recruiters, Researchers, Compliance Analysts |
| Viewer | Single workspace | Stakeholders, Legal Review, Audit |
Full Capability Matrix
| Capability | Org Admin | Workspace Admin | Analyst | Viewer |
|---|---|---|---|---|
| Create & launch scans | ✓ | ✓ | ✓ | — |
| View scan results & reports | ✓ | ✓ | ✓ | ✓ |
| Export reports | ✓ | ✓ | ✓ | — |
| Delete scans | ✓ | ✓ | — | — |
| Manage workspace members | ✓ | ✓ | — | — |
| Create & revoke API keys | ✓ | ✓ | — | — |
| Manage workspace settings | ✓ | ✓ | — | — |
| Set workspace credit thresholds | ✓ | — | — | — |
| Create & delete workspaces | ✓ | — | — | — |
| Manage organization billing | ✓ | — | — | — |
| Invite members to organization | ✓ | — | — | — |
| View organization-wide audit log | ✓ | — | — | — |
Inviting Members
Members must be explicitly invited by email — there is no open registration. Only Org Admins can invite members at the organization level. Workspace Admins can invite members directly into their workspace.
To invite a member:
- Navigate to Settings → Members (org level) or Workspace → Members
- Enter the member's email address
- Select their role from the dropdown
- Click Send Invite
The invitee receives an email with a secure link to accept. Until accepted, the invite appears as Pending and can be revoked at any time.
Changing a Member's Role
Role changes take effect immediately. Only Org Admins and Workspace Admins can change roles, and only within their scope (a Workspace Admin cannot promote someone to Org Admin).
To change a role:
- Navigate to Settings → Members
- Find the member in the list
- Click the role dropdown next to their name
- Select the new role
Downgrading a role (e.g., Analyst → Viewer) does not affect existing scans or reports the member created — it only restricts future actions.
Revoking Access
Removing from a workspace: A Workspace Admin or Org Admin can remove a member from a specific workspace. The member retains their organization account but loses access to that workspace's scans and reports.
Removing from the organization: An Org Admin can fully deactivate a member's account. All scans and reports created by the member remain in the workspace and are accessible to other authorized team members — no data is lost.
Immediate effect: Access revocation takes effect instantly. Active sessions are terminated within minutes.
API Keys & Role Scope
API keys are scoped to a workspace and are managed by Workspace Admins and Org Admins. Keys inherit the permissions of the workspace they belong to — a key cannot perform actions its managing role couldn't perform manually.
- Keys should be rotated regularly
- Revoke a key immediately if a team member with access to it leaves the organization
- Never share keys across workspaces — create a separate key per workspace per integration
Security Recommendations
- Principle of Least Privilege — Default to Viewer for anyone who only needs to read results. Only escalate to Analyst when scan creation is genuinely required.
- Enforced SSO — Enterprise customers should enable Single Sign-On (SSO) to centralize authentication and enforce MFA through your identity provider.
- Regular access reviews — Audit your member list quarterly. Remove members who have changed roles, left the organization, or no longer need access.
- Separate workspaces per team — Isolate HR, Legal, and Compliance teams in separate workspaces to limit cross-team data visibility. See Workspaces & Permissions.