Skip to main content
Access is where you control what each person can do. What someone can do is decided by the role they hold, and each role is a bundle of permissions. Menu: Access → Roles · Route: /admin/roles Menu: Workspace → Users · Route: /admin/users (super admins only)
Two different things

How the model works

  • A permission leaf is one granular ability, identified by a dotted id such as comerix.flows.publish or comerix.insights.reports.view.
  • A role collects many permission leaves under one name.
  • Each member holds a role per workspace, so the same person can have different roles in different workspaces.
Example roleGrantsGood for
Buildercomerix.flows.*People who design and publish flows
Analystcomerix.insights.*People who read reports and dashboards
System roles are global and ship with the platform; custom roles are created per workspace.
Super admins bypass workspace permission checks entirely. Grant this status sparingly.

Browse roles

  1. In the left sidebar, choose Access → Roles.
  2. The list opens at /admin/roles.
Each role shows whether it is a system or custom role, its member count, permission coverage (X of Y leaves granted), and a per-module breakdown. The metrics strip shows permissions in the catalog, total roles, custom roles, and members assigned.

Create a custom role

  1. On the Roles list, click New role.
  2. Enter a name (must be unique) and an optional description.
  3. Save. The role opens in the editor so you can grant permissions.

Grant permissions to a role

A role's permission tree.
  1. Open a role and select the Resources tab.
  2. Work through the permission tree — it nests from comerixcomerix.access → … down to individual leaves. Tick the boxes you want to grant.
  3. Use Select all / Clear all and Expand all / Collapse all to move quickly.
  4. The summary sidebar shows X of Y granted per module as you work.
  5. Click Save.
System roles are read-only (shown with a lock badge). To change what they grant, create a custom role instead.

Reassign a member

  1. Open a role and select the Users tab.
  2. You see every member who holds this role.
  3. To move a member, pick a different role for them, or remove them from this role.
You can only grant roles you yourself hold. This anti-escalation rule stops you from giving anyone more access than you have.

Platform user administration (super admin)

The cross-tenant User Administration console. /admin/users is the platform-wide User Administration console. Unlike the role-based screens above — which stay inside a single workspace — this console lists every user across all organizations and workspaces on the platform. The whole page is gated to super admins (ROLE_SUPER_ADMIN); the Users entry only appears in the Workspace section of the sidebar when you hold that status.
  1. In the left sidebar, choose Workspace → Users.
  2. The console opens at /admin/users.
The left scope rail lets you narrow the directory to all users, a single organization, or a single workspace. The toolbar adds a search box (name or email), a status filter (active / inactive), a role filter, and segment tabs (all, active, super admins, inactive). The metrics strip shows total users, active users, super admins, and inactive users for the current scope. Each row is shown once per user, anchored on the user’s home workspace, and lists their name, email, status, home role, and the workspaces they belong to.
Every action below is audit-logged against the target user. Identity records carry no row-level isolation, so this console is deliberately limited to super admins.

Create or edit a user

The user create / edit dialog.
  1. Click New user to open the create dialog, or the Edit (pencil) action on a row.
  2. Set the email (required and unique), an optional name, the interface locale, and the Active toggle.
  3. Choose a home workspace and a role for that workspace. You can pick a global system role or a role owned by the chosen workspace.
  4. Toggle Super admin to grant or revoke platform-wide super-admin status.
  5. Save.
When you create a user without a password, the platform emails them a password-reset link so they can set one themselves. If you type a password in the create dialog, it is used directly and no email is sent.
Editing the role on a user updates their role in the selected workspace only. A user can hold different roles in different workspaces.

Activate or deactivate

Use the per-row Activate / Deactivate toggle to change a user’s status.
Deactivation is a hard login boundary: a deactivated account cannot sign in, and cannot be impersonated either. This is enforced centrally by ActiveUserChecker, which rejects authentication for any inactive account on every firewall. You cannot deactivate your own account.
Use the per-row Reset password action to email the user a fresh password-reset link. This never reveals or sets a password directly — the user sets their own from the emailed link.

Impersonate a user

The impersonate confirmation dialog. Impersonation lets you sign in as another user to reproduce or support an issue, scoped to that user’s workspace context.
  1. Click the Impersonate (eye) action on a row and confirm.
  2. The platform switches your session to the target user using Symfony’s switch_user mechanism.
  3. While impersonating, a persistent banner at the top of every page reads “Impersonating … — you are viewing the app as this user.” with an Exit impersonation link that returns you to your own account.
You cannot impersonate another super admin, a deactivated user, or yourself. Both the start and the exit of an impersonation session are written to the platform audit log.

Bulk actions

Select rows with the checkboxes, then apply a single action to all of them at once: activate, deactivate, delete, or assign a role in a chosen workspace. Skipped rows (for example, your own account, or the last remaining super admin) are reported back to you.

Deleting a user

Deleting a user is a GDPR-style anonymizing erasure, not a physical row delete: it drops all the user’s workspace memberships, revokes every role, deactivates the account, and scrubs the identity. The record itself is retained so the append-only audit log stays intact. The platform refuses to delete your own account or the last super admin.

Permissions

ActionPermission
View the workspace user directorycomerix.access.users.view
Assign roles & manage workspace memberscomerix.access.users.manage
View rolescomerix.access.roles.view
Create, edit & delete rolescomerix.access.roles.manage
Platform user administration is super-admin onlyThe cross-tenant User Administration console at /admin/users is not governed by these permission leaves. Every action on it requires platform super-admin status (ROLE_SUPER_ADMIN), and impersonation additionally requires the switch_user privilege, which is restricted to super admins. Super admins bypass workspace permission checks entirely — grant the status sparingly.